The Argentine Personal Data Protection Authority approved a set of privacy and data protection guidelines for the development of software applications.
Acknowledging the importance of the software industry in Argentina, the country in Latin America with the highest rate of exportation of software and, at the same time, the importance of the protection of privacy and personal data, the Argentine Personal Data Protection Authority (the “DPA”) issued Rule No. 18/2015 (the “Rule”) which was published in the Official Gazette on April 16, 2015.
This Rule approves a set of guidelines of good practices aimed at raising the level of awareness for privacy and data protection in the process of developing apps (the “Guidelines”).
The Guidelines use plain language and are intended primarily for software developers who in some cases might not be familiar with the principles contained in the Argentine Data Protection Law No. 25,326 (the “DPL”).
The Guidelines emphasize that software applications have the ability of collecting, treating and processing personal data; therefore, it is important to make sure that the application is in compliance with the terms and obligations under the DPL.
To that end, the Guidelines enumerate those basic principles as follows:
- prior, express and informed consent from the data subject shall be obtained;
- use of personal data should be limited to the purpose for which it was collected for;
- the personal data being collected should be accurate, adequate, pertinent and not excessive for the purpose it was collected for;
- personal data should be protected from unauthorized access through the corresponding security measures; and
- any person intervening in the treatment of personal data has a confidentiality obligation existing even after the end of the relationship with data controller.
At the same time, the Guidelines include the following recommendations for protecting privacy and personal data during the software development process:
- take into account privacy in the process of developing an application;
- develop the applications using “privacy by design”, considering any privacy and data protection implications since day one;
- activate the privacy options by default;
- allow users to control and choose their privacy options;
- limit the quantity of data collected;
- protect the data you collect and choose someone within your organization to be responsible for privacy compliance; and
- use Privacy-Enhancing Technologies to protect user’s personal data by minimizing or eliminating data collection.
On the other hand, the Guidelines address the specific problems of mobile apps echoing the difficulties that the size of the screens poses in terms of proper display of the Privacy Policies. To that end, it suggests that developers should be creative to show users what their privacy practices are, e.g. in the use of graphics, colors and sound, to try to get their attention.
Lastly, the Guidelines refer to apps designed to be used by children. In that connection, they suggest (i) limiting as much as possible the collection of data from children; (ii) contemplating stricter security measures; (iii) avoiding the sharing of personal information of children and (iv) when necessary, obtaining parental consent.