The most successful apps protect personal data – Deloitte Abogados
Now that smartphones have become an established part of our daily lives, mobile applications (apps) of every type have arrived – some display the weather conditions, some advise us on health matters, while others enable us to perform bank transactions. There are even apps that inform us that we are getting closer to our favourite shops.
Together with technological issues, one of the fundamental concerns when creating an app is its legal configuration. When developing the app, the following parameters must be considered: intended users; receipt of personal data; specific processing of data; data subjects; data storage; intellectual property; cookies policy; security policy; technical maintenance; and the use of video and image. These elements will determine the legal obligations with which an app must comply.
Compliance with legal requirements will include certain duties which the developers/creators must consider when beginning to design an app. These obligations might include: (i) the drafting of a specific privacy policy and legal notice that includes information required by users in relation to the processing of personal data, and user consent for specific uses (for example, commercial communications), and which sets out (ii) specific rules when requesting information relating to health, (iii) minors or (iv) where the data consists of photos or videos, (v) obligations in connection with international transfers, where the application is hosted in or accessed via countries outside of the European Economic Area, (vi) the drafting of an agreement regarding the protection of the data of those who have access to the personal data collected by the app, (vii) the establishment of an agreement regulating the rights to use the new app’s intellectual property, (viii) a specific policy where cookies are used, (ix) obligations foreseen in connection with e-business, consumers and users where purchases can be made through the app, (x) trademark protection, and lastly, (xi) notifying, as the case may be, the Spanish Data Protection Agency of the specific personal data file(s).
Among the apps that are exemplary with regard to most of the aforementioned data protection concerns are some of those that are used in relation to personal fitness, such as smart watches or pedometers. These apps do pose a number of significant data protection challenges that may even be aggravated due to the appearance on the scene of health related data, subject to increased legal requirements.
Such fitness devices, through embedded sensors, record and transmit data about their users to their related app, for example, number daily of steps, sleep schedule, hearth rhythm, calories burned. Users can see the complete picture of how they move and sleep in the app and can complete such information with additional facts such as details about their weight, their mood or their diet.
Among the specific legal risks related to these apps, aside from those already listed above, are: (i) processing of health related information (due to the broad definition of such a concept); (ii) collection of geolocation information; (iii) profiling of users as the result of combining the different categories of data processed, namely health related information and lifestyle; or (iv) use of personal data for secondary purposes.
In 2014, the Global Privacy Enforcement Network (including national and regional data protection authorities) carried out a privacy sweep focusing on apps and has reached the conclusion that the most successful apps do comply with the main data protection requirements. Developers are therefore encouraged to implement the existing legal requirements, not only to ensure regulatory compliance but also to increase their popularity among users.
María Vidal is a senior associate at Deloitte Abogados. She can be contacted at marvidal@deloitte.es
Susana Rodríguez Ballano is a senior associate at Deloitte Abogados. She can be contacted at srodriguezballano@deloitte.es
