Update: Find out more about the EU's General Data Protection Regulation here.
In this blog series, we will shed light on the legislative framework of mobile application development in major countries and regions across the globe. The second part of the series is an analysis of EU regulations that are of concern to application developers.
Privacy is an important matter in the European law. As early as 1995, the EU adopted the Data Protection Directive (Directive 95/46/EC) to regulate the collection and processing of personal data, such as location, contacts, identity, pictures and browsing history. Organisations aren’t allowed to process personal data unless three conditions are met. Firstly, the user of a service has the right to be informed when his personal information is being processed. The controller must provide the recipients of the data. Secondly, personal data can only be processed for explicitly specified and legitimate purposes and only insofar it is relevant and not excessive in relation to these purposes. Thirdly, the data must be accurate and, if necessary, kept up to date. Extra restrictions apply when sensitive personal data is being processed, such as religious beliefs, political opinions, health or sexual orientation. Since a EU directive has to be transposed to national laws in order to have effect, all member states have enacted their own data protection legislation.
The Data Protection Directive also established the Working Party (Article 29), an independent European advisory body on data protection and privacy to promote the uniform application of the general principles of the directive in all member states. In 2013, it issued an opinion on mobile applications to address the risks that go with them. Moreover, the opinion contains some guidelines for app developers in order to tackle the insufficient protection of the personal data they process.
The E-Privacy Directive (2002/58), issued in 2002 to address the challenges of the emerging digital technologies, applies to all matters that weren’t specifically covered by the Data Protection Directive. It sets a specific standard for all parties worldwide that wish to access information stored in the devices of users in the European Economic Area (EEA). First, the Directive states that gaining access to or storing information (any type, not just personal data) is only allowed when the consumer has given consent. Furthermore, consumer consent is also needed for the installation of an application. Last, organisations are obliged to notify the Supervisory Authority as soon as they become aware of the data breach.
In 2012, the European Commission proposed to expand the Data Protection Directive in the form of the European Data Protection Regulation, which applies automatically to every individual processing data of EU citizens. One of the new measures requires mobile app developers to obtain parental consent for processing data of children younger than 13. Another measure allows data protection authorities to impose a penalty of up to 2% of the worldwide turnover of a company in case of violation of the law. After four years of amending the draft, the member states reached an agreement in December 2015. It is expected that the regulation will be formally adopted in the spring of 2016 and come into effect in 2018.
Also noteworthy is the EU-US Privacy Shield, a new framework for transatlantic data flows signed at the start of 2016. When it comes into effect, the new arrangement will provide stronger obligations on companies in the US to protect the personal data of Europeans and stronger monitoring and enforcement by the US Department of Commerce and Federal Trade Commission (FTC). The US government has given the European Union the assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations and strong oversight.
Similar to Canada and the US, the EU has adopted additional laws concerning the processing of medical data. Medical devices are regulated under the Medical Devices Directive (93/42/EEC) and the In Vitro Diagnostical Medical Devices Directive (98/79/EEC; in vitro devices are used in the examination of samples taken from the human body, like blood and urine). Mobile medical applications (or mHealth applications) fall under the Directives if they have an intended “medical purpose”. The European Commission acknowledged the uncertainty of this criterion, and therefore published guidelines on the qualification and classification of medical software in 2012. In the same year, the Commission proposed revisions of the two Medical Device Directives in order to improve the safety level of medical devices. Since then the proposal became a ‘bureaucratic Frankenstein’ with many deviations from the original text, similar to the process of drafting the European Data Protection Regulation. The implementation of the new regulations is expected in 2016.
Mobile payment applications (or m-payment applications) are subject to the Payment Services Directive (2007/64/EC), which regulates payment services and payment service providers in the European Union and European Economic Area. The Directive was adopted to harmonize consumer protection and to state the rights and obligations for payment providers and users, like transparency of information (including any charges, exchange rates, transaction references and maximum execution time). However, some issues remained unaddressed. The Directive doesn’t apply to transactions to or from third countries. Furthermore, new means of payments, such as mobile banking, are often still fragmented along national borders, making it difficult for innovative payment services to provide consumers with effective, convenient and secure payment methods. Addressing the need of harmonization, the European Commission proposed a revision that focused on electronic payments. The European Parliament adopted the proposal in 2015. One of the new rules imposes strict security requirements for the initiation and processing of electronic payments and the protection of consumers’ financial data. Following the Parliament's vote, the Directive will be formally adopted by the EU Council of Ministers in the near future.
In conclusion, the European Union has addressed the protection of consumer data in many ways. However, the introduction of new techniques such as mobile applications has urged legislators to adjust the current regulations. 2016 will be an interesting year in this respect, since many of these amendments will be formally adopted.
Data Protection Directive
General Data Protection Regulation
EU-US Privacy Shield
Mobile health applications
Mobile payment applications