Précis

The Information Commissioner’s Office (ICO) has recently announced a new campaign targeting the privacy compliance of mobile apps made available to the public.

Background

The ICO enforces compliance with the UK’s data protection laws, primarily the Data Protection Act 1998 (DPA) but also the Privacy and Electronic Communications Regulations (PECR).

Mobile apps are downloaded onto personal devices and collect and send data (regulated by PECR whether or not personal data is involved) and also often collect and sent personal data (regulated by the DPA).Many of those involved with the development, provision and/or use of mobile apps will be seen by the ICO as ‘controllers’ of the data being collected and used and so responsible for complying with the DPA and/or PECR.

What?

The ICO, and privacy regulators around the world, have become increasingly concerned about the use of mobile apps and their ability to collect unnecessary and intrusive data on users, often without their knowledge or agreement. There are also growing concerns about the security of data being collected and transmitted. This is particularly the case where vulnerable users are involved and/or sensitive details are collected, such as about health or sickness, whether physical or mental.

The ICO has previously issued guidance to app developers about privacy compliance. The ICO expects those developing and offering mobile apps to comply with this guidance and, in the event of any suspected breach of the DPA and/or PECR will take non-compliance with the guidance into account when determining any relevant enforcement action required and the nature of the sanction to be imposed.

So what?

Although traditionally the ICO has only investigated alleged breaches re-actively following complaint, increasingly, it is taking a pro-active stance on compliance and investigating areas of concern before any complaint has been raised. In a recent blog, the ICO announced that it will be commencing such an investigation into mobile apps used in the ‘wellbeing’ sector but has not explained further precisely who or what is being targeted. ‘Health’ apps, whether or not connected to medical devices, may well be investigated as a result.

Where an investigation identifies areas of concern, the ICO is likely to engage with those offering such apps to commence a dialogue about required compliance and in the event of inadequate responses or non-cooperation, it is likely to name and shame those involved, leading to reputational and financial damage.

The ICO may also instigate enforcement actions and impose sanctions, which following legal changes include an ability to relatively easily impose a fine of up to £500,000 for a breach of PECR. In addition, affected individuals may commence their own proceedings for compensation for breach of the DPA whether or not they have suffered financial loss and may in addition have a claim for damages for breach of privacy.

It is of note that, increasingly, privacy regulators around the world are cooperating to share data on areas of concern and organisations suspected of infringement, leading to multi-jurisdictional targeted compliance campaigns conducted by numerous regulators at the same time. In the event that the ICO identifies the sector or a specific player as a poor performer in respect of compliance, it can expect greater scrutiny, a more targeted campaign and, potentially, across multiple countries.

It is recommended that those involved in the provision and development of such mobile apps review their use and the privacy information provided to users of them, so that any necessary changes can be implemented as quickly as possible and so that providers are prepared to deal with any investigation and ICO queries. In the event of contact by the ICO in relation to any such apps, expert advice should be obtained immediately.