UK government announces new rules for apps to boost consumer security and privacy

December 14, 2022

The UK government has published its response to its call for views on app security and privacy interventions. It says that the vast majority of respondents supported all principles within the voluntary Code of Practice and the need for the Code. There was broad support for commencing work to explore how the Code could be put on a regulatory footing in the future.

The government has amended the draft Code in line with feedback. It commissioned a mapping of the app standards landscape which found that there are no security standards or recommendations for all app store operators and no universal standard for app security. Therefore, it says that the Code will provide clarity and improve the security and privacy practices of app store operators and app developers.

Given the global nature of cyber security issues, and digital markets, the government also recognises that this work should be taken forward in collaboration with international partners. Therefore, it will be examining the viability of international standards and will be looking to create an international coalition around the Code’s baseline security and privacy requirements.

Whilst the Code remains voluntary, it does not expect regulators to monitor uptake of the Code beyond their responsibilities already set out in law. DCMS will be responsible for commissioning research and working with stakeholders to assess adherence with the Code, particularly among app store operators.

In the Call for Views, it set out various cross-government work that interlinks with the app ecosystem. Since that publication, there has been some notable relevant new activity.

  • Policy work is underway in DCMS to understand the vulnerabilities that exist in enterprise IoT products. DCMS is also engaging with other governments to promote the security requirements in European Standard 303 645.
  • As set out in the National Data Strategy, the government has called for views about the risks to UK data storage and processing infrastructure, and the security and resilience of that infrastructure.
  • The government introduced the Data Protection and Digital Information Bill in July. It adapts the UK GDPR. The second reading of the Bill was postponed for new ministers to consider the legislation. The Code and its annexes will be updated, where necessary, if there are any changes to the legislation.
  • The government has recently run a Call for Information which seeks views on potential measures to reduce unauthorised access to citizens’ online accounts and personal data. This programme aims to reduce at scale the threat of cybercrime and the offences it often facilitates, such as fraud and domestic abuse, and in line with the National Cyber Strategy, reduce the burden on citizens for cyber security. The programme recognises that any proposals should complement existing obligations and the wider landscape of cyber resilience.
  • The government published a paper which set out a roadmap from 2022 to 2025 to enhance the government’s digital and data services. Part of this document notes that as part of efforts to increase access to government services, a mobile app strategy will be created. As well as this, the government will ensure that government apps will adhere to the requirements in the Code of Practice.
  • The government is also continuing work on many other interlinking areas, such as the new pro-competition regime for digital markets, fraud and online safety.

The Code of Practice includes eight principles:

  • Ensure only apps that meet the code’s security and privacy baseline requirements are allowed on the app store;
  • Ensure apps adhere to baseline security and privacy requirements;
  • Implement a vulnerability disclosure process;
  • Keep apps updated to protect users;
  • Provide important security and privacy information to users in an accessible way;
  • Provide security and privacy guidance to developers;
  • Provide clear feedback to developers; and
  • Ensure appropriate steps are taken when a personal data breach arises.

The Code will be reviewed, and if necessary, updated no later than every two years in light of technological developments, further clarifications, modifications to regulations and changes to the threat landscape in this area.