Developments in Privacy and Data Ownership in Mobile Health Technologies, 2016-2019.

OBJECTIVES: To survey international regulatory frameworks that serve to protect privacy of personal data as a human right as well as to review the literature regarding privacy protections and data ownership in mobile health (mHealth) technologies between January 1, 2016 and June 1, 2019 in order to identify common themes.
METHODS: We performed a review of relevant literature available in English published between January 1, 2016 and June 1, 2019 from databases including PubMed, Google Scholar, and Web of Science, as well as relevant legislative background material. Articles out of scope (as detailed below) were eliminated. We categorized the remaining pool of articles and discrete themes were identified, specifically: concerns around data transmission and storage, including data ownership and the ability to re-identify previously de-identified data; issues with user consent (including the availability of appropriate privacy policies) and access control; and the changing culture and variable global attitudes toward privacy of health data.
RESULTS: Recent literature demonstrates that the security of mHealth data storage and transmission remains of wide concern, and aggregated data that were previously considered "de-identified" have now been demonstrated to be re-identifiable. Consumer-informed consent may be lacking with regard to mHealth applications due to the absence of a privacy policy and/or to text that is too complex and lengthy for most users to comprehend. The literature surveyed emphasizes improved access control strategies. This survey also illustrates a wide variety of global user perceptions regarding health data privacy.
CONCLUSION: The international regulatory framework that serves to protect privacy of personal data as a human right is diverse. Given the challenges legislators face to keep up with rapidly advancing technology, we introduce the concept of a "healthcare fiduciary" to serve the best interest of data subjects in the current environment. Georg Thieme Verlag KG Stuttgart.

Introduction

Privacy has long been considered a human right 1 2 . Defined as the amount of personal data and information that people allow others to access about themselves 4 , privacy in healthcare can be particularly important to patients 5 and may be threatened when technologies are employed to monitor the health and wellbeing of people 1 . Confidentiality is the process of keeping one’s data private 4 . This is critical to medical practice as some people may not seek care or share sensitive information with a provider if they do not believe their data will be kept confidential 5 6 . A breach of confidentiality, whether it be through data security vulnerabilities or otherwise, is a threat to one’s privacy 1 ; users will have less trust that their information is to be kept private, safe, and secure if it can easily be accessed and used by others. Data security relies on the technical, physical, and administrative safeguards that protect personal information held by an entity 7 8 .

Privacy, confidentiality, and data security are therefore very important concepts in healthcare today, while continual advances in technologies make it increasingly difficult to protect these concepts. In this article, we focus on mobile health (mHealth) technologies as one of these emerging areas that challenge the industry to revise and solidify its perspective in this regard. We chose mHealth given its rising ubiquity throughout the health care ecosystem as well as the fact that its porous nature poses key ethical and informatics challenges.

Background: Global Privacy Laws

Information privacy has long been important in International Law 9 . The Fourth Amendment to the US Constitution is central to the US privacy law 10 . The Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocol No. 11, is central to European privacy law 11 . Although a seminal article in 1890 discussed the right to privacy 12 , modern day privacy concepts evolved in part from Article 8 of The European Convention on Human Rights 13 14 and a 1973 report by the future US Department of Health and Human Services (HHS), which encouraged Congress to adopt a “Code of Fair Information Practices” 15 , and which led to the Privacy Act of 1974 16 . These Fair Information Practices Principles (FIPP) have since served as a framework for the governance of personal data and spurred substantial growth in privacy law around the world 9 17 .

Europe: Informed by The European Convention on Human Rights, the General Data Protection Regulation (GDPR) was enacted in 2016, which automatically applies to all 27 member states in the European Union (EU) 18 19 . Increasingly considered the gold standard for legal expertise in the area of health information privacy 20 21 , the GDPR has larger reach compared with previous models; in it, all individuals, organizations, and companies (not just those related to healthcare) are classified as either “controllers” (which determine the purposes and means of the processing of personal data) or “processors” (which perform operations on the data on behalf of the controller) 22 . It also defines “personal data” much more broadly 22 , as “any information relating to an identified or identifiable natural person” 18 . The GDPR provides a number of fundamental rights to data subjects, including those defined in Table 1 18 22 . Violations of the law may result in hefty fines, fines which depend on the severity of the infraction but can peak at 20 million euros or 4% of an entity’s annual revenue worldwide 18 . Despite many criticisms, the GDPR has become the current gold standard, given its attention to personal data privacy and data portability. In the context of health care data, such focus is a particularly valuable asset 23 .

Table 1

Selected data subject rights provided in GDPR 18 22

Article	Data Subject Right	Definition
13	Right to be informed	Data subjects have the right to be provided with certain information from a data controller that has collected their data.
15	Right to access information	Data subjects have the right to obtain confirmation from a data controller as to whether or not their personal data are being processed and, if so, to access that data and certain information.
16	Right to rectification	Data subjects have the right to correct inaccurate personal data held by a controller and to complete personal data that is incomplete.
17	Right to erasure	Also known as “the right to be forgotten,” data subjects have the right to request that the controller of their personal data erase certain data concerning them which has been made public, taking account of available technology and the cost of implementation. The controller shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data of the request.
18	Right to restriction of processing	Data subjects have the right to set restrictions on the processing of their data by a controller in certain instances.
20	Right to data portability	Data subjects have the right to receive their personal data from a controller in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without any hindrance from the controller providing the data.
21	Right to object to the processing of personal data	Data subjects have the right to object at any time, on situation-specific grounds, to the processing of personal data concerning them. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or the processing is necessary for the performance of a task carried out for reasons of public interest.
22	Right to object to automated decision-making	Data subjects have the right not to be subject to any individual decision based solely on automated processing, including profiling, if such a decision leads to significant ramifications (legal and otherwise), subject to certain exceptions.

United States: In 1996, the United States passed the Health Insurance Portability and Accountability Act (HIPAA), which was the first US federal statute to address the privacy of medical records, and considered the well-known model for regulation in this area until promulgation of the GDPR 8 9 24 . FIPP and HIPAA both recognize that individuals should be able to (1) access their individually identifiable health information, (2) correct its accuracy and integrity, and (3) trust that their information will be collected, used, and disclosed consistent with their expectations through openness and transparency. In addition, an individual should be able to make informed consent about such information, which should only be collected, used, and disclosed to the extent necessary for a particular purpose. Data quality and integrity should be maintained through security safeguards and organizational accountability 17 . HIPAA is a compliance-oriented regulatory model which does not provide for a private right of action 25 . The HITECH Act of 2009 subsequently enhanced penalties for HIPAA violations, expanded enforcement, and added a data breach notification requirement 9 26 . HIPAA has a number of limitations, including the fact that it does not cover all medical records (only those maintained by certain types of record holders) and that it does not cover all parties that possess medical information 9 27 28 . It is therefore important to note that HIPAA does not cover many websites that gather health information 9 . Privacy laws in the United States additionally do not provide for comprehensive regulation and do not account for technological innovation 29 . Instead, various government agencies hold specified responsibilities. The U.S. HHS Office for Civil Rights plays the main role in enforcing HIPAA. The Food and Drug Administration regulates the efficacy and safety of medical devices 30 and has proposed voluntary cybersecurity guidance for connected medical devices 27 28 29 31 32 . The Federal Trade Commission may regulate unfair and deceptive trade practices in or affecting commerce, which may include deceptive acts which fail to adhere to state privacy policies and procedures 27 29 33 . That said, certain particularly sensitive health information has been addressed by subsequent federal legislation such as the Genetic Information Nondiscrimination Act of 2008 (GINA), which seeks to prohibit discrimination on the basis of genetic information with respect to health insurance and employment. This includes information about genetic tests, services or research obtained, or manifestation of a genetic disease by an individual or their family members 34 .

At the state level, California passed the California Consumer Privacy Act of 2018 (CCPA), heavily influenced by the GDPR, with an effective date of January 1, 2020 35 36 . Given the limitations of US federal law noted above, the CCPA is the most comprehensive set of data privacy laws and individual protections in the United States to date 19 . The CCPA takes an even more expansive approach than the GDPR with respect to its definition of “personal information,” as being any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” 37 38 . While the GDPR regulates data processing, the CCPA also regulates collection and sale of data, but does not provide a safe harbor for GDPR compliance 38 39 . A subsequent California Senate Bill amended the CCPA in a number of ways, including clarifying that certain identifiers are no longer automatically included within the definition of “personal information” and that a consumer’s right to litigation only applies to data breaches 36 . Although the fines for violation of the CCPA are less severe than the GDPR 35 , both pieces of legislation have resulted in changes in the behaviors of large multinational corporations 40 , and, given the broader definitions applied and the rights incurred to citizens, are rapidly becoming the de facto global standards for data privacy and protection 20 21 .

South America: On August 14, 2018, Brazil enacted its first legislation that provides for the data protection of individuals and private and public legal entities, which will go into effect with modifications in 2020 41 42 . This General Data Protection Law was largely inspired by the GDPR 43 and defines personal data to include “data related to the health or sexual life of a person, genetic information, or biometric data.” 42 . The Argentina Personal Data Protection Act or Protection of Personal Information Act (POPIA) has been in effect since 2000 44 . However, the Argentinian government has recently proposed a bill to bring this law in line with the GDPR, including new definitions such as biometric and genetic data 45 .

Asia: In 2005, the Asia-Pacific Economic Cooperation (APEC) established the APEC Privacy Framework 46 , which was updated in 2015 47 . To implement this Framework, APEC developed the Cross-Border Privacy Rules System Program Requirements 48 . APEC economies endorsed the Privacy Framework because it is important in the development of appropriate information privacy protections to ensure the flow of information in the region 46 . It is consistent with the core values of The Organization for Economic Cooperation and Development’s (OECD’s) Guidelines on the Protection of Privacy and Trans-Boundary Flows of Personal Data. The OECD, a global organization of countries committed to the market economy and personal democracy which had created guidelines for the protection of privacy information in 1980 49 50 , adopted a revised Recommendation Concerning Guidelines Governing the Principles of Transborder Flows of Personal Data in 2013 51 . This was non-binding and in and around that time period, many countries around the world adopted data protection laws based on its Information Privacy Principles. The APEC Cross Border Privacy Rules system (CBPR) has broad areas of similarity with the current GDPR, but whereas the GDPR is based on the individual’s fundamental right to data protection and privacy within a union in which data is freely-flowing, the APEC CBPR focuses on facilitating data transfers across borders within the context of its defined data protection parameters 52 .

Japan has had one of the earliest privacy laws in Asia, the Act on the Protection of Personal Information (APPI), enacted in 2003 53 . It was extensively amended and significantly enhanced in May 2017, one year before the GDPR 53 54 . The APPI now defines “sensitive personal data to include physical or mental disabilities, results of certain medical exams, records of medical treatment and advice” 42 .

When it was enacted in 2011, South Korea’s Personal Information Protection Act (PIPA) was Asia’s toughest data privacy law 55 56 42 . PIPA defines “sensitive personal data” to include health, sexual preferences, and bio-data” 42 . The country additionally has a sector-specific law, known as the “Network Act,” which governs information and communication service providers 57 .

On November 6, 2016, China passed the Cybersecurity Law of the People’s Republic of China, which was effective the following June 58 . While this legislation does not regulate all aspects of privacy and cybersecurity, it does have a wide scope and includes many broadly defined terms making it open to interpretation 59 . From a security standpoint, the law focuses on the protection of infrastructure and data storage requirements. From a privacy perspective, it pulls from other countries’ legislation regarding informed consent and the use of personal information for a limited purpose. Like the GDPR, it adds an individual right to question correctness or request deletion of personal information 60 61 .

Africa: South Africa signed the Protection of Personal Information Act (POIPA) into law on November 19, 2013 62 63 . Under POIPA, “special personal information” includes data on an individual’s health, sex life, or biometric information, but unlike the GDPR, data subjects can waive their right to a privacy notice 62 . Further regulations were promulgated under POIPA in 2018 64 .

In February 2019, Uganda enacted the Data Protection and Privacy Act (DPPA), which provides rights for and protects the privacy of citizens by regulating the obligations of data collectors, processors, and controllers. As such, it prohibits these entities from collecting, holding, and processing personal data which infringes on the privacy of a data subject 65 .

In November of the same year, Kenya signed into law the Data Protection Act (DPA), which was preceded by the Privacy and Data Protection Act of 2018. This new law, modeled after the GDPR, outlines the rights of individuals whose data is collected and regulates the collection and processing of data by a data controller or processor. It also provides for certain protections for processing of sensitive personal data and personal data relating to health 66 .

Australia: Australia Privacy Principles (APPs) form the basis for the privacy protection in the Privacy Act 1988, which was amended in 2018 to add mandatory notification procedure for data breaches, which must take into consideration the sensitivity of the information 64 67 68 69 70 71 . Additional privacy regulations include applicable state and territory laws, which may relate specifically to health privacy 72 . If an organization participates in the Australian eHealth system, it must comply with the Personally Controlled Electronic Records Act of 2012 (PCEHR Act) 73 and the Health Identifiers Act of 2010 (HI Act) 69 70 71 . In the context of these laws, “sensitive information” includes heath, genetic, and biometric information 72 . The PCEHR limits when and how health information in an electronic health record can be collected, used, and disclosed.

World Privacy Laws

Methods

We performed a review of relevant literature available in English published between January 1, 2016 and June 1, 2019 from databases including PubMed, Google Scholar, and Web of Science. Search terms included: “data ownership,” “data sharing,” “privacy,” “data privacy,” “genetic privacy,” “confidentiality,” “data security,” “computer security,” “Health Insurance Portability and Accountability Act,” “protecting data,” or “data protection” combined with any of the following: “mobile health,” “mhealth,” “health app,” “direct-to-consumer genetic testing,” “direct-to-consumer genetic screening,” or “telemedicine,” as well as relevant abbreviations and lexical variants of the above. Search strings are available as Supplemental File 1 .

Articles focused solely on techncal specifications or security protocols, research-based initiatives, and traditional telemedicine (i.e., through videoconferencing) were determined to be out of scope. In addition, given the abundance of literature meeting criteria, the authors decided to further limit the scope by eliminating articles related solely to consumer genetic testing. We categorized the remaining pool of articles as pertaining to (1) Issues regarding mHealth privacy and security, (2) User perceptions and attitudes related to such, or (3) Related ethical, legal, governance, or policy frameworks. From the first two categories, we identified a number of discrete themes, specifically: concerns around data transmission and storage, including data ownership and the ability to re-identify previously de-identified data; issues with user consent (including the availability of appropriate privacy policies) and access control; and the changing zeitgeist and variable global attitudes toward privacy of health data. These themes are addressed in detail below and serve, along with material from the final category, to inform the authors’ discussion and conclusions.

Themes

Data Transmission and Storage

Mobile app data security continues to be an area of concern for the industry. Many authors discuss the vulnerabilities of data when being stored or during transmission to third parties 28 74 75 . There is still some debate in the literature about the security risks and benefits of the cloud; while some authors fear that cloud infrastructure is more susceptible to privacy and security attacks 76 , others postulate that cloud service providers may address data privacy and security more effectively due to economies of scale and scope, which enable them to maintain more sophisticated defenses against cyber-attacks 77 .

Physical security is also an issue. Authors express concerns about misplacement, theft, or loss of mobile devices 78 79 . More than 1/3 of smartphone users do not apply security measures to prevent access to their phone, and sharing of phones among family members is common in many countries 80 81 .

It is certainly evident that many mHealth apps on the market lack appropriate privacy and security measures. This has been found to be the case even among many apps certified by trusted bodies or widely used by the health care community. For example, of 79 apps certified as being clinically safe and trustworthy by the United Kingdom National Health Service, 89% were found to transfer information online, 66% of which was not encrypted 82 83 84 85 . WhatsApp, a popular instant messaging app that has gained popularity among clinical providers and in the global health space as being supposedly HIPAA-compliant did not have security measures such as end-to-end encryption for some time; now, even with additional security measures in place, concerns still exist around whether these are sufficient to meet HIPAA security standards 86 87 88 . In a study of 20 of the most popular “Medical” and “Health and Fitness” apps, only 20% of those that transmitted data over the network did so using a secure connection 89 . In another study of 137 selected mHealth apps, more than 60% allowed for transmission of health information via insecure methods 90 . Similarly, in a study of 53 mHealth apps available in the EU, 21% failed to protect session data in transport 91 .

That same study showed that 40% of the apps failed to protect the integrity of the data they displayed 91 . Other authors also expressed concerns that data integrity could be compromised as a result of attacks during transmission over public networks or simply due to immature sensor-based technology 74 75 78 80 92 . Another oft-cited concern regarding data collected outside of the clinical setting regards its authenticity, accuracy, and provenance 92 93 . Securely tagging such data with metadata could help in attributing authenticity of authorship. Additionally, methods for collecting and presenting contextual information, such as whether a blood pressure cuff was applied correctly, need to be developed. As such, mHealth apps are creating new silos of data which can be a challenge to integrate into electronic health record and health information exchange ecosystems 94 .

Numerous stakeholders (including patients, providers, healthcare systems, government bodies, technical service vendors, and network infrastructure suppliers) hold intersecting rights and responsibilities regarding an individual medical record and the data therein. “Ownership” of such data involves questions of who possesses or allows access to it and who gains from any intellectual property that may subsequently be developed 74 95 . Commercial institutions or vendors may sell de-identified information to data brokers who may then indefinitely own a patient’s data and use it for a variety of purposes, including targeted ads or larger profiling efforts 27 . This type of aggregate data mining by third parties can still be linked back to the individual. In 2000, Latanya Sweeney first demonstrated that 87% of the US population (216 million people) could be uniquely identified from only their data of birth, gender, and 5-digit zip code 96 97 98 . More recently, she demonstrated the ability to correctly identify 25% of research participants by name and 28% by address from data redacted beyond the HIPAA Safe Harbor standard 99 . Other authors have demonstrated the ability to re-identify at least 90% of Americans utilizing credit card metadata or via statistical models 96 100 101 . Given this emerging area of research, the need to systemically identify all stakeholders and potential data “owners” becomes increasingly essential in the identification of potential downstream security risks to users.

Informed Consent, Privacy Policies, and Access Control

Informed consent, in the context of mHealth applications, involves the permission granted by patients or their legal representative regarding when and with whom their personal information is shared 74 . This, along with mechanisms to enable individual control of data, supports the ethical frameworks of autonomy or respect for persons, as well as beneficence and non-maleficence 95 102 103 .

Consumers are often unaware of all of the ways a service may collect and analyze their data or the extent to which their data may be sent to third parties 104 . Transparency, therefore, is of the utmost importance. However, the literature is consistent in its illustration of the mHealth industry as being poorly compliant with the provision of appropriate privacy policies or Terms of Service agreements to users 84 89 90 105 106 107 108 109 110 111 112 113 . Where privacy policies do exist, they are often non-specific to the app in question, may not inform users if the policy is being updated or if their data is to be shared, and may not provide users the right to access their personal data or be otherwise HIPAA-noncompliant 107 108 110 114 115 116 .

Although Article 12 of the GDPR requires that companies explain how data will be processed in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” 18 , most mHealth app privacy policies studied have been found to be roughly the length of an academic journal article and have a readability at university level 107 113 117 , making them inaccessible to a large percentage of consumers and posing a risk for inequity between the highly-educated who are able to comprehend their privacy rights and options and the rest of the population. Users often agree on the assumption of minimal risk, as reading dense policies is onerous and time-consuming 118 119 120 . Moreover, while Article 7 of the GDPR specifies that information sharing as a condition of use may prohibit consent from being “freely given” if processing of data is not necessary for performance of such a contract 18 , the literature notes that users are frequently required to agree to data sharing in order to access relevant mHealth devices and services 79 121 , which may also predispose them to agree to privacy policies or terms without full perusal or understanding.

Multiple authors, therefore, recommend increasing education to improve digital literacy and citizenship, both among professionals and patients 74 122 123 . Some authors additionally point out the “notice and choice paradigm” whereby the limited user interfaces inherent to many mHealth products make it difficult to surface adequate notice of privacy policies; while vendors can and do send their policy statements through e-mail, the user may not directly associate them with the app or wearable 33 . Therefore, several propose “just in time” strategies for requesting user consent and other modalities to improve policy effectiveness 107 124 . That said, one author notes that even among educated users who were aware that consenting to a company’s terms of use constituted a legal contract, very few reported reading the agreements before consenting to them 125 .

It has also been noted that, when creating such policies, application developers are truly challenged to fully anticipate and identify all third-party stakeholders and potential data streams for inclusion. For instance, many of the commonly-used software development kits (SDKs) for mobile apps rely on companies that do not explicitly state how user information is shared; moreover, in at least one case, an SDK was found to be accessing user data from its product apps via private APIs 126 127 . To assist with such challenges, the United States Office of the National Coordinator for Health IT (ONC) has designed a Model Privacy Notice, “a voluntary, openly available resource that can provide a standardized, easy-to-use framework to help developers clearly convey information about privacy and security to their users” 128 .

Although privacy policies are of critical importance, research suggests that users are often set at ease regarding their privacy, and data sharing is more likely to occur when procedures are put in place that provide individuals with control over disclosure and subsequent use of their personal information 129 . User trust can be established by allowing clear understanding, choice, and control; therefore, multiple authors recommend providing users with as much control over their data as possible, including granular control over sharing of that data with third parties 79 97 130 . In the context of mobile apps, control over an application’s access to other device functionality is of utmost importance. In a recent study of mHealth apps, a number of them were found to request “dangerous” permissions to access areas that involve the user’s private information or stored data, including those outside of the applications’ scope, such as the use of the microphone, Bluetooth connectivity, the user’s contacts or calendar 89 . When wearables or ambient living systems are involved, issues of surveillance, including location disclosure and capturing bystanders without their consent are of great concern and require appropriate access control 124 130 131 132 .

Dynamic User Attitudes Toward Privacy

Our survey also highlighted changes in user attitudes and variability across cultures regarding privacy of personal health data. Individual privacy protection expectations in open data sharing environments are both relative (depending on which parties may receive said data) and time-dependent, in that risk of sharing may either diminish or increase over time 133 . The concept of privacy could therefore be considered a moving target.

We have summarized user perceptions of privacy in Supplemental Table 1 . From this literature, we make the following observations:

User concern with privacy of personal data collected by mobile health apps is widely variable. In some studies, data privacy and security was cited as of primary concern or importance 74 134 138 , while in others, users expressed very little concern 125 139 140 141 142 143 144 145 . Still other authors noted this dichotomy within their reported results with some participants expressing significant privacy concerns and others stating it to not be an issue 146 147 . While some users expressed such concerns related to collection of highly sensitive-data, such as that related to behavioral health, reproductive health, or HIV status 135 148 149 150 151 , other users who provided such data still reported little unease related to their privacy 139 142 152 153 154 .

Recent mHealth interventions in developing countries have frequently involved text message reminders. While fewer overall privacy and security concerns were generally reported by users in these countries, sharing of phones was stated to be a significant area for consideration 139 140 141 149 151 153 155 156 .

In some settings, professionals and caregivers expressed greater concern than the patients they served regarding the security of personal health data 155 157 158 .

Higher expressed privacy, confidentiality and/or security concerns were often negatively correlated with technology acceptance and use 145 151 157 159 160 161 162 .

There may be international variation and/or gradual cultural shifts in user awareness regarding the risks inherent in big data. While participants in an American study reported that viewing of their personal health data was innocuous since it was likely only valuable in aggregate 125 , a larger study in the UK (where the GDPR is now in effect) reported concerns about transfer of their data both under their real identity as well as under a random pseudonym 114 , suggesting an understanding of the risks of re-identification of pseudonymized data.

Discussion

This survey of recent developments related to privacy, confidentiality, and data security of mHealth applications demonstrates that the global information technology industry and health care ecosystem which it supports remain in a dynamic and rapidly-maturing state. Although many countries and federations have enacted legislation to define and protect the right to privacy of personal data for individuals, there remain concerns that regulatory supervision is inadequate. As methods of data transfer become increasingly complex, the risk for compromise of highly sensitive patient health data also increases 31 163 . Currently, much information is being processed without the knowledge and informed consent of the people who generated the data 164 . Even where measures such as the GDPR attempt to provide protections, gaps in local law may pose a challenge for technology design. For instance, though Spain and Czechoslovakia are members of the EU, Spanish law defines where and under which measures data should be physically stored, whereas Czech law does not 165 . It is thus not currently feasible to adopt international privacy standards that would cover all the health care data that currently exists and to anticipate new data streams that may emerge from developing technologies. mHealth apps are also increasingly being used in developing countries, which may have no privacy or data protection laws 79 . Additional legal provisions are therefore arising to support such gaps, such as the recent Planet 49 decision, in which the Court of Justice of the European Union ruled, in line with the GDPR, that privacy consent must be given by a clear affirmative act as opposed to pre-ticked boxes 166 .

Risks related to data storage and transmission, as well as the re-identification of aggregated data, are real but may not be universally recognized by the general public 125 . User perceptions of privacy and concerns related to confidentiality of personal data are widely variable (see Supplemental Table 1 ). Even individuals concerned with protecting their confidentiality may not choose to fully inform themselves regarding the risks of disclosure and sharing of that data through the use of a mobile health app or service, often due to the impenetrable language and lengthy format of such privacy policies. Users do, however, commonly request increased choice and control over their data, and app developers grapple with how to enable such granular controls and display them according to usability heuristics. Additionally, consumers seem to be starting to recognize that pseudonymized data shared in aggregate may not be as private as previously thought 114 , which poses further challenges to vendors and data brokers to consider privacy protections related to big data.

Our current global environment, therefore, is one in which local and international legislation continues its attempts to keep up with rapidly-advancing technological developments, but one in which significant gaps in policy and regulatory frameworks are inevitable. In such a dynamic state, some have argued that any entity in possession of an individual’s data (that is, the “holder” of that data, which controls it and could seek to profit from it to the detriment of the individual) stands in a position of trust with regard to that person. One expert suggests “that many online service providers and cloud companies who collect, analyze, use, sell, and distribute personal information should be seen as information fiduciaries through their customers and end-users.” 167 .

A fiduciary has a legal obligation to act in the best interest of its client 170 . Therefore, we and others have suggested that entities which hold personal health data (such as mHealth app vendors, data brokers, and third parties with whom they share data) be therefore considered “health care information fiduciaries.” 169 170 . Further definition of this concept based on the type of health care information possessed, how such information was generated, the intended recipients and purpose of transmittal, as well as potential benefits a holder might derive from the data could help to further clarify this proposed role and the obligations that could ensue. If the concept of a health care fiduciary was recognized in a democracy, that concept should be upheld and interpreted by the applicable courts. If the concept was recognized in a dictatorship, it could likely be subject to the interpretation of that dictator. Additional analysis of how such a role would be regulated is a subject for future exploration 169 170 .

Conclusion

In summary, the international regulatory framework that serves to protect privacy of personal data as a human right is diverse and increasingly influenced by the GDPR. This framework serves as a new model to define data as relating to the person (instead of the transaction) and to provide additional rights to the individual such as the right to object to processing and the right to erasure. As the law is evolving, the literature regarding mHealth applications over the past several years demonstrates that the security of data storage and transmission remains a concern, and the question of data “ownership” is complicated by the multiple stakeholders who have access to such data in the current ecosystem, often without the knowledge of the subject of the data. Consumers are often uneducated regarding the ways a service may collect and transmit their data to third parties; yet even when they are aware of the implication of vendor terms of service, most users do not read these policies before consenting due to policy length and complexity. While there is a wide variation in user perspectives of privacy – even those related to traditionally sensitive data types – there is evidence that improved access control measures are beneficial to the acceptance of technology and data sharing. Challenges arise in consideration of data aggregation, previously considered to be de-identified, as this has now been demonstrated to commonly be re-identifiable through a variety of mechanisms. Given that legislation is unable to keep up with the rapidly-advancing technology and consumer education and self-advocacy is limited, the concept of a “health care fiduciary” will be a fertile area for discussion as a means to act in the best interests of data subjects, and in so doing, to protect the basic human right of privacy in an equitable fashion across a dynamic ecosystem.