Tag Archive: mobile apps

EUROPE: App Developers Working on Privacy Code of Conduct for Mobile Health Applications

By Patrick Van Eecke (Partner, Brussels) & Julie De Bruyn (Associate, Brussels)

Mobile HealthNew apps are being developed at the speed of light, and almost simultaneously, legislators around the world are busy revising existing, or drafting new, data privacy legal frameworks. While ideally both should move in harmony, it appears that they are not, with (new) privacy rules often being too theoretical, leaving app developers puzzled.

The importance of creating an intelligible legal framework for data processing apps, and in particular apps collecting and processing health data (“mHealth apps”), was confirmed by the Article 29 Working Party last year in February, when they published a letter responding to the European Commission, who requested clarification of the scope of the definition of health data in connection with lifestyle and wellbeing apps. In the annex to the letter the Working Party identified three main scenarios where personal data processed by such apps are to be considered as “health data”:

  1. The data processed by the app is inherently/clearly medical data;
  2. The data is raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person;
  3. Conclusions are drawn about a person’s health status or health risk (irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate, or otherwise adequate or inadequate).

App developers themselves have not been standing still either. A group of stakeholders representing the industry have been organizing meetings with the European Commission in view of creating clarity in the mHealth app landscape. As a result of such meetings, in December last year, a Draft Code on Privacy for Mobile Health Applications was released, reflecting the ongoing discussions and the overall goal of the industry to translate existing (and future) privacy rules into workable criteria and guidelines.

The draft Code aims to provide specific and accessible guidance on how European data protection legislation should be applied in relation to mHealth apps. While the app industry consists of many different stakeholders (including the actual developers, OS and device manufacturers, app stores, users of the app, and other third parties such as advertising networks and similar intermediaries), the draft Code specifically targets app developers due to the consideration that they are the ones responsible for designing and/or creating the software which will run on the smartphones of the users, and thus for deciding the extent to which the app will access and process different categories of personal data in the device and/or through remote computing resources.

Further to the clarification previously given by Article 29 Working Group, the draft Code defines “data concerning health” as any data related to the physical or mental health of an individual, or to the provision of health services to the individual. Examples of data concerning health include inter alia data describing the health status or health risk of an individual, or data describing a medical intervention undertaken in relation to an individual. The definition is further clarified in the draft Code by means of use cases, for instance the following:

An app allows a user to track whether she has taken her prescribed medications and thus complies with the advice provided by her doctor. This app will be deemed to process data concerning health, since the consumption of medication is indicative of the health of an individual.

While the Code is a work in progress, it nevertheless already provides helpful tools and guidance that can be used by up and coming and established app developers, such as:

  • practical guidelines on obtaining consent from app users,
  • an overview of the main principles that must be complied with before making an mHealth app available,
  • a set of questions to allow app developers to carry out a Privacy Impact Assessment,
  • what information is to be provided to the users before they may use the app (including a short and long form information notice),
  • how long the data can be retained,
  • what to do in the event of a personal data breach, and
  • how to ensure the security measures in place are adequate taking into account the types of data and nature of the data processing operations.

The draft Code clarifies that whether or not the actual app developer falls within the scope of applicability of European data protection law, largely depends on the design choices when the app was created. Futhermore, the Code specifies that if an app developer does not exercise any control over the processing of personal data through the app, and does not use the outcome of the processing (which will commonly be the case if no personal data is ever sent to the app developer or to any other third party by the app) then the app developer will not fall within the scope of EU data protection law.

Should you have any further questions regarding the above, please contact Patrick Van Eecke (patrick.vaneecke@dlapiper.com) or Julie De Bruyn (julie.debruyn@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-app-developers-working-on-privacy-code-of-conduct-for-mobile-health-applications/

Connected Cars & Privacy: Automotive industry adopts consumer privacy principles

by Patrick Van Eecke and Julie De Bruyn

Last week proved to be an important week for privacy and data protection in the US: while representatives of the European Commission were negotiating with US representatives on government surveillance and the extension of the US Privacy Act to EU citizens, the US Alliance of Automobile Manufacturers (‘Alliance’) together with the US Association of Global Automakers (‘Association’) published their ‘Consumer Privacy Protection Principles’ (‘Principles’) on 12 November 2014.

Although smart vehicle technologies and services offer numerous benefits to owners and users, the Alliance and the Association are conscious that consumer trust is essential to the success thereof that should therefore not be overlooked. The Privacy Principles aim to provide a framework for US automobile manufacturers when processing information obtained through vehicle technologies and services, which may assist in for instance enhancing safety, diagnosing vehicle malfunctions, reducing traffic congestion, calling for emergency assistance, etc. 

Each member of the Alliance and/or Association may upon its own discretion decide whether to adopt the Principles, and other companies – who are not a member – may also decide to adopt them. Examples of participating members who so far have committed themselves to respecting the Principles include the North American affiliates of inter alia BMW, Chrysler, Ford, General Motors, Hyundai, Kia, Toyota and Volkswagen. The accountability principle as foreseen in the Principles requires that each participating member takes reasonable steps to ensure that it and its other entities that receive covered information adhere to the Principles.

The Principles apply to the collection, use and sharing of information obtained through vehicle technologies and services available on cars and light trucks sold or leased to individual consumers for personal use in the United States. Within the Principles, the term ‘personal data’ or ‘personal information’ appears to be deliberately avoided and instead the legally neutral term ‘covered information’ is used. The data subjects concerned are the vehicle owners or registered users.

The Principles appear to be influenced by the European data protection framework, albeit with a US flavour. Similarly as under the European Data Protection Directive, the principles do not apply to information that has been altered or combined so that the information can no longer reasonably be linked to the vehicle from which the information was retrieved, the owner of that vehicle or any other individual (data anonymisation). The key principles include:

  • Transparency –  Clear, meaningful notice about the collection, use and sharing of covered information must be provided to the owner or user, for instance by including a notice in the vehicle owner’s manual, on paper or electronic registration forms and user agreements, or on in-vehicle displays. The participating automobile manufacturers commit to, at a minimum, making this information available via online web portals.
  • Choice – Under the Principles, if a participating member provides notice in consistence with the transparency principle, the acceptance and use by the owner or user will be deemed to constitute consent to the processing of the information obtained. For the use of geolocation information, biometrics and driver behaviour information, the sharing and use of such information may raise concerns in some situations and therefore participating members undertake to obtain an affirmative consent of the owner or user concerned, except in certain circumstances set forth in the Principles where an implied consent will suffice.
  • Respect for context – Participating members undertake to use and share covered information in ways that are consistent with the context in which the covered information was collected, taking into account the likely impact on the owner or user. Factors which may determine the context of the collecting include the notices offered by the participating member, the permissions obtained from and the reasonable expectations of the owner or user, etc.

The Principles contain an enlightening (non-exhaustive) list of examples to illustrate some of the reasonable and responsible ways in which covered information may be used or shared. Among typical examples which are deemed to be consistent with the context of collecting the information, are some atypical examples for which – at least from a European data protection perspective – it can be argued that these purposes may be considered as incompatible with the original purpose of the vehicle technologies and services, such as using or sharing the information as reasonably necessary to facilitate a corporate merger, acquisition or sale involving a participating member’s business, or using covered information to provide owners or users with information about goods and services that may be of interest to them.

  • Other principles included in the Principles are data minimization, data de-identification, data retention, data integrity and access (albeit a right of access for the owner or user limited to ‘personal subscription information’, rather than to all covered information held about them), and data security.

Although the scope of the Principles is limited to the automotive industry in terms of material application, and limited to consumers using the vehicles for personal use in the United States in terms of geographical application, it is expected that similar principles and guidelines will follow shortly for larger geographical and material (other sectors).

 For more information, please contact patrick.van.eecke@dlapiper.com. or julie.debruyn@dlapiper.com    



Permanent link to this article: http://blogs.dlapiper.com/privacymatters/connected-cars-privacy-automotive-industry-adopts-consumer-privacy-principles/

Big Data, Big Privacy Issues

By Patrick Van Eecke & Mathieu Le Boudec

Last week, a resolution on big data was adopted under the auspices of the 36th International Conference of Data Protection and Privacy Commissioners (hereafter: “ICDPPC”). After earlier guiding documents released this year by, among others, the Executive Office of the President of the United States, the Information Commissioner’s Office (UK), the Working Party 29 and the European Data Protection Supervisor, this resolution is yet another confirmation of the attention big data gets from regulators worldwide.

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/big-data-big-privacy-issues/

GLOBAL: Mobile apps – increasing privacy transparency is on top of your to-do list!

Patrick Van Eecke & Elisabeth Verbrugge

As previously announced, the Global Privacy Enforcement Network (GPEN) recently released the results of the global privacy sweep of mobile applications it conducted in May 2014.

More than 25 privacy commissions around the world examined a total of 1,211 mobile apps. The sweep targeted both Apple and Android apps, both free and paying apps, both public and private sector apps and covered a variety of different types of apps, ranging from games over health apps to banking apps. The privacy commissions’ reviews focused in particular on transparency and consent.

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-mobile-apps-increasing-privacy-transparency-is-on-top-of-your-to-do-list/

GLOBAL: Sweep Day 2014: Global Coordinated Enforcement

Read here an article by DLA Piper Partner Carol Umhoefer, published in E-Commerce Law & Policy in July 2014 discussing how Internet Sweep Day illustrates trends in the data protection regulatory space.

For further information, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/sweep-day-2014-global-coordinated-enforcement/

UK: CCTV consultation and App privacy – regulators catching up with technology

The UK’s Information Commissioner’s Office (ICO) have recently published a new draft CCTV Code of Practice.  It is open for consultation until 1 July 2014 – visit http://ico.org.uk/about_us/consultations/our_consultations to review the draft code of practice, and to provide feedback.  The changes address emerging and increasingly available technologies (e.g. body mounted cameras, and drones), and the privacy impacts of those, as well as building in legislative updates and case law.  The underlying compliance regime remains firm – if you believe there is the need for CCTV technologies, then before using it undertake a Privacy Impact Assessment to ensure that its use is proportionate and that privacy concerns can be mitigated.  If it use is justified, then ongoing monitoring and management is vital as well, with at least a yearly check of its use continuing to be compliant and appropriate. 

App Privacy is another developing area, and one of concern for customers and suppliers alike.  Regulators are realising that there is the potential for there to be major privacy impacts and that it is a global issue.  The ICO’s research in 2013 found that half of potential customers had rejected an app due to privacy concerns.  These permissions are commonly summarised in a box when downloading an app and in some cases go beyond what is really needed for that app to function.  The ICO issued its guidance for app developers late last year – http://ico.org.uk/for_organisations/data_protection/topic_guides/online/mobile_apps – and the ICO is now involved in a global effort to review global app privacy issues as part of the Global Privacy Enforcement Network.  We expect to see more compliance reviews and guidance in this area, and potentially some enforcement action dependent on the reviews.  The French data protection authority (CNIL) is also active in this area and undertook a sweep of 100 mobile apps earlier this month as we have mentioned in a previous post (http://blogs.dlapiper.com/privacymatters/france-the-cnil-is-auditing-the-100-most-commonly-used-mobile-apps-in-france-as-part-of-internet-sweep-day/).  The takeaway is clear – to avoid regulatory action and to encourage customers to download their apps, app developers should ensure that their compliance is fully considered and properly documented in its app permissions and applicable privacy policies.

For further details on these issues, please contact JP Buckley (jp.buckley@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-cctv-consultation-and-app-privacy-regulators-catching-up-with-technology/

Global: App providers, beware of sweeping privacy watchdogs!

By Patrick Van Eecke & Julie De Bruyn

The Global Privacy Enforcement Network (GPEN) is organizing an international privacy sweep between 12 and 18 May 2014, specifically targeted at mobile applications, involving 27 data protection authorities around the world .

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-app-providers-beware-of-sweeping-privacy-watchdogs/

Europe: Mobile gaming apps rarely compliant with basic EU data protection consent rules

By Patrick Van Eecke and Anthony Cornette:

Mobile apps may, and frequently do, have access to a lot of personal information. This personal information can include one’s contact list, location, calendar and photos. Through social network integration, this includes access to even more information.

Mobile app providers, however, tend to forget applying some basic principles of European data protection legislation, such as asking the customer for informed consent before downloading the app.

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-mobile-gaming-apps-rarely-compliant-with-basic-eu-data-protection-consent-rules/