Legislation drafted for mHealth security

Targets how mobile developers collect data

A Georgia Congressman has released draft legislation that would regulate how the developers of mobile applications  including mHealth apps  collect personal data.

Rep. Hank Johnson (D-Ga.) unveiled the Application Privacy, Protection and Security (APPS) Act of 2013 on Jan. 16 as a discussion draft, meaning it hasn't been formally proposed as legislation. If enacted, it would require developers to disclose how they collect personal data and what other parties would have access to that data. In addition, the legislation would inform consumers what information is collected and how long it could be stored, and it would allow them to prevent developers from sharing or collecting their own data.
 
[See also: Mobile health app market in growth mode.]
 
Under the proposed legislation, the Federal Trade Commission would be charged with enforcing the app privacy rules, and would be required to create regulations required by the APPS Act within a year of its enactment. In addition, a state's attorney general could file a federal civil action.
 
Johnson's office unveiled the discussion draft of the bill on AppRights.us, a website that the Congressman launched last year to solicit ideas on mobile privacy. 
 
"One of the first bills of its kind, the APPS Act is a careful response to the many perspectives that have reached out to Congressman Johnson through AppRights," Johnson's office said in an introduction on the website. "This bill addresses the public's growing concern with data collection on mobile devices. It would require that app developers provide transparency through consented terms and conditions, reasonable data security of collected data, and users with control to cease data collection by opting out of the service or deleting the user's personal data to the greatest extent possible."  
 
According to the proposed legislation, a developer would have to identify the consumer before collecting any personal data and obtain that user's consent. 
 
In terms of protecting that data, the proposed legislation states that developers would be required to "prevent unauthorized access to a user's data through reasonable and appropriate security measures. This provision would address sub-standard data storage practices by promoting responsible data storage." 
 
"The APPS Act contains a safe harbor for companies that comply with the enforceable code of conduct agreed upon through the NTIA's (National Telecommunications and Information Administration) multi-stakeholder process," the proposed legislation further states. "This approach give(s) developers flexibility in how they display their privacy policies and interact with consumers, and avoids a heavy-handed legislative approach."
 
According to a Computerworld story, the NTIA is engaged in ongoing meetings to develop a mobile app policy. In a Jan. 17 story, the site quoted Steve DelBianco, executive director of the NetChoice e-commerce trade group, as questioning whether lawmakers should take up Johnson's proposed legislation while the NTIA is still working on the issue.
 
"We have been at this for six months, and have some ways yet to go," DelBianco said in an e-mail to Computerworld reporter Grant Gross. "So I hope the Congressman will hold his bill until our multi-stakeholder process proves it can generate consensus best practices."
 
Johnson's proposed legislation isn't the only issue related to mobile devices that Congress is expected to face this year. Minnesota Sen. Al Franken last June submitted the "Protect Our Health Privacy Act of 2012," which seeks to require "all covered entities to encrypt portable devices that store protected health information." That bill would also restrict the use of that information by medical contractors and require agencies to report any privacy breaches and enforcement action to Congress.
 
Franken's bill has been referred to the Senate Committee on Health, Education, Labor & Pensions, and officials say Franken may re-introduce the bill this year.