Fixing your app for the new EU Privacy Laws

If you are building an app that deals with any personal information relating to citizens of the European Union, you will have to make changes. To make matters more interesting, the definition of personal information is such that most apps will actually fall into this category, even if you think you don’t.

Almost every piece of software will need to be updated if you want to continue doing business in Europe.

Just before years end, the European Union put its finishing touches to the data protection reform that has been in the works for the last few years. In two years it will go into effect and your app needs to be ready if you want to continue serving European customers.

So what does this all entail? Well basically, the EU is giving its citizens a lot more power and giving companies that process or store personal information a lot more responsibilities.

Personal information is defined as any information (or combination of information) that might be traced back to an individual. This includes the expected things like your name, e-mail address, and social security number. But it also includes types of information that you might not immediately think of, like photo’s that contain your face, your Twitter handle, and even your IP address.

Under the new rules you need to get explicit consent if you want to store these kinds of personal information. Naturally when users enter information themselves that is considered consent, but you still need to ensure your user actually knows what they are consenting to. Initially changing your terms and conditions may suffice, but we feel the exact definition of consent will remain under heavy discussion for quite some time.

The data protection reform defines the following four new fundamental rights for European Union citizens:

Right to data transparency
As discussed before, a user needs to give explicit consent for the personal information that is stored. The user must be able to view the types (and content) of information that is stored and be able to revoke that consent whenever they want to. If you want to share that data, you once again need to gain the users’ consent to do so for everyone you want to share it with.

The user also has the right to ask you who has seen their data and who you shared the data with. So if your support team can log into a users’ account, you need to keep track of that and if your database is accessed you need to keep track of that too. Remember that ip-address are personal information too, and that means you will need their consent to use website trackers like Google analytics, unless you activate their IP anonymization.

Right to data portability
Users have the basic right to export their data. Walled silos will no longer be permitted, if the data is about them, you need to provide a usable way to export it.

Right to be forgotten
This might be the most discussed of the new rights. The right to be forgotten allows users to force companies to delete the data they have about them. So at the very least you have to provide a way to really delete an account, but remember personal information about users may still stay alive in log files or backups. So take care of them too!

As an extra bonus, certain information may not be removed due to other concerns. For example, even though a user might request to remove their personal information, you are not allowed to destroy their invoices due to tax legislation. This is part of the controversial nature of this right.

This right is also suspect since it could be seen as censorship. What if a newspaper uses your name in an exposé about you, can you use your right to be forgotten to wipe the slate clean? Google would love your input here.

Right to know if your data has been compromised
When something happens to your app that affects any kind of personal information, like a hack, you have to disclose that hack to the users involved. You can no longer stay silent.

These four rights don’t come without consequences either. The legal and financial risks of not supporting them are quite large. The potential fines are massive as they need to provide a sufficient deterrent for both a one-person-app-shop and for tech giants like Facebook and Google.

Over the next few months I will try to share the information we have been gathering at Nedap over the last few years. I will share our experiences implementing the required features and answer any questions that might arise, so everyone can benefit from the work we have done.