Written by: Hannah Williams

When we use and access different apps and platforms, our data is being collected and used. This often aids the app to function at its best or may be necessary depending on its nature and so is often not harmful in itself. However, such data collection also comes with a risk. Some platforms have been found to collect data in a manner against privacy policies and potentially against the EU’s GDPR meaning our data is not as safe as first thought.

The Problem

The British Medical Journal have recently published a study regarding data collection amongst health apps on the Google Play Store. The investigation looked at 20,000 health apps, many of which ask that users disclose sensitive information such as calorie intake and menstruation tracking.

Out of these platforms, 28% of the apps failed to provide a form of privacy statement or explanation on Google Play regarding the information being collected. This is against the Store’s terms of service and so it must be asked how and why this has been allowed. Many apps also have been found to violate their own personal privacy policies, meaning GDPR has likely been breached.

The right to be informed in the GDPR requires that users are informed clearly about how their data is being used. Muhammad Ikram from the Macquarie University Cyber Security Hub has stated that some of the information that is being passed onto third parties such as advertisers is effectively ‘data mining’. He continues that this is ‘done without user consent and is being done explicitly and implicitly’.

Why Does This Matter?

Having your personal data given to public platforms without consent is undesirable for a variety of reasons. For example, many companies use such data to understand your lifestyle habits to benefit their business. Furthermore, this also increases the opportunity for additional violations of privacy of extremely sensitive information.

The investigation conducted also discovered that only 1.3% of reviews from users have actually raised concerns about privacy violations. This demonstrates the lack of awareness regarding intrusive data collection that are potentially breaching Google Play’s terms of service. Consequently, many may have experienced such a breach and their data may have been shared to other parties outside of the platforms without their knowledge.

What Can You Do?

Ikram suggested that users should begin to look at privacy policies on the Google Play Store to ensure that their data is being handled safely and securely. It was also suggested that users further look into how the platforms intend to use their data and who they wish to share it with. This can help prevent misuse of data and any exploitation of medical information.

Another way to prevent data harvesting is to use strong passwords in order to protect data from unauthorised personnel. It is recommended that passwords should vary between platforms and should not be similar to a name or birthday.

Legal Implications

The GDPR defines data mining as ‘any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person’ in Article 4. If the above health apps are in fact violating privacy terms, then they may also be breaching the GDPR’s requirements.

Furthermore, if the apps are doing this without the user’s consent, this goes against the GDPR requirement found in the ‘right of access’ section. This states that the user must be notified of all safeguards in place should their data be transmitted to another party. The ‘right to inform’ also requires that the user must be notified within a reasonable time that their data has been collected. This comes with a set of conditions such as where the information was obtained and the content of said data.

The health apps in question seem to violate these requirements if they are proven to collect data ‘without user consent’ as described by Ikram. It is up to the relevant platforms to patrol this and ensure that all apps follow the essential guidelines.


Although not all apps are using data in this way, the few that are should be investigated and regulated by the relevant platform. In the Google Play Store’s case, if apps are failing to meet the Store’s terms of service, it logically follows that steps should be taken to prevent further violation.

Users could also focus on protecting themselves the best they can by reading all terms and conditions and privacy notices in addition to creating a more secure account using strong passwords for example.