What can I do as a user to protect my data?
Döring: On the whole, this is a very complex subject. For example, it's key to find out whether the data remains on the device or whether it is being transferred to third parties. The country in which the provider is located is also a highly relevant concern. Not all countries have a high data protection standard as is the case within the EU, even though international providers from the U.S, for example, must also guarantee a comparable level of data protection. Another step for the user would also be to find out whether another company that’s located in yet another country is involved in the development. Data could be exchanged via this step as well.
How could these types of apps put your privacy in danger?
Döring: Needless to say, there is always the danger that this data falls into the hands of unauthorized third parties. If users exclusively manage the data on one device and if this data is not transferred, users are still somewhat in control – as long as they don't lose their cell phone. Having said that, the data must always be encrypted. There is a relatively low risk that third parties can access the data in this case. Data must also be encrypted if it is being transferred, so third parties are unable to access it. Obviously, if third parties already have access to the data, users have almost no control over what happens to their information. Especially, if they "pay" with their data, meaning they have to provide their information to benefit from the app. Needless to say, this is often hard to discern for the ordinary person. Many people don't read the data protection guidelines. When it comes to depression apps, it makes sense to use information sources like the German Depression Relief Foundation (Stiftung Deutsche Depressionshilfe). In their search for reputable providers, depression sufferers can look to recommendations provided by health insurance companies, physicians, foundations or independent websites.
Which important changes will take effect with the new Federal Data Protection Act?
Döring: In Germany, data protection has essentially been part of the legal framework for the past 40 years and the central idea has not changed much. Basically, users have to agree to the use and processing of their personal data. Users must first consent or there must be a legal basis such as a contractual relationship for example. The major difference from before is that the data controller can now indicate a "legitimate interest" to process the data. Of course, this is a very open concept. A "legitimate interest" can actually pertain to just about anything. That’s why an app provider can process the personal data of affected parties in many cases. On the flip side – and this is a new aspect as well – depression app users must be fully informed about any data processing. Every time data is processed, the app provider must now be proactive and inform the user about the data that is being collected and why and how long this data is being stored. App providers must also indicate when data is being erased. Managing directors are liable for data processing. There is now more transparency on that score. Users are also able to request information, though this was also an option before the new changes took effect. For example, the user of a depression app can request details about the data that is being processed by a provider.