EDPS-IPEN Privacy by Design contest for mobile Health (mHealth) applications

The European Data Protection Supervisor (EDPS), in partnership with the Data Protection Authorities of Austria, Ireland and Schleswig-Holstein and supported by the Internet Privacy Engineering Network (IPEN), is pleased to announce the launch of the EDPS-IPEN Privacy by Design contest for mobile Health (mHealth) applications for the month of April 2018.

This initiative aims at promoting privacy engineering through the demonstration of a mHealth application implementing the “privacy by design and by default” principles, in order to create best practices that may constitute a reference for privacy-friendly development of mobile apps.

The sector of mHealth has rapidly expanded in recent years. Undoubtedly, mHealth apps may lead to benefits in the life of individuals, lowering the cost of healthcare, empowering the control of patients over own healthcare, granting an immediate access to medical care and information online and providing new insights for medical research through the use of large amount of personal data.

At the same time, processing such data at large scale and over connected devices may reduce users’ control over their personal information and risks being misused and adversely affect users’ interests and fundamental rights. This is magnified by the mobile apps ecosystem, which so far has not given evidence of effective protection of personal data and integration of the principles of privacy by design and by default.

Filling this gap is of utmost importance and urgent. Healthcare providers and developers should therefore accept this challenge and consider the protection of privacy and personal data as a priority, especially after the adoption of the General Data Protection Regulation (GDPR) in the EU.

The challenge to solve

Participants are challenged to develop a useful and user-friendly mHealth application at the forefront of the implementation of the data protection by design and by default principle, as required under the GDPR.


Two contestants will be awarded prizes.

  • € 20.000 will be awarded to the project ranking as first in the selection
  • € 10.000 will be awarded to the project ranking as second in the selection

Both winners will have the opportunity to present their projects at the 40th International Conference of Data Protection and Privacy Commissioners (ICDPPC), which will take place in Brussels the last week of October 2018.

Expected deliverable

The app shall contribute to witnessing and advancing the state of the art with respect to Privacy by Design and by Default in mHealth.

Contestants shall develop and demonstrate the solution in the form of a mobile app. The app should be publicly available for installation for a significant user base and support two or more mobile operating systems. The app server backend, if any, of the service supported by the app is expected to work when the app is delivered to the contest organisers for assessment. Contestants shall provide complete functional and non-functional documentation, including data protection related deliverables, including a data protection notice and a report on the management of data protection risks and the privacy by design and by default approach taken.

All deliverables shall be in English.

Eligibility and Award criteria

Participation is open to all natural and legal persons established in the EU, within the scope of the GDPR.  Participants who have already received an EU prize cannot receive a second prize for the same project.

In case participants decide to compete in a group, a lead participant shall be appointed to represent the group towards the EDPS.

A jury composed of experts from the EDPS and EU DPAs, as well as from academia and other EU institutions will evaluate the projects according to the following criteria:


The app shall enable better care of personal health and contribute to individuals’ empowerment


User-friendliness and accessibility shall be taken into account for the app design, and considered in the documentation.


The app shall comply with the European Union legal data protection requirements, in particular:

  1. lawfulness, fairness and transparency (including notice to data subjects and enabling data subjects’ rights)
  2. purpose specification and limitation
  3. data minimisation with respect to the purposes (necessity and proportionality)
  4. accuracy
  5. storage limitation (data retention requirement)
  6. data security

The app shall be developed following the approach of privacy by design and by default principle.

The assessment might include a pre-selection phase. In this case, we might invite pre-selected projects for a demonstration of their proposal. A final decision will be taken at the official launch of the contest and described in the Rules of Contest.

Expected Timetable

Opening for Submissions: April 2018

Deadline for Submissions: end of June 2018

Evaluation period: July-September 2018

Possible project demonstration: September 2018

Award decision: end of September 2018

Prize Award ceremony: side event at the International Conference of Privacy and Data Protection Commissioners 2018, last week of October 2018, in Brussels

Contest criteria, scoring and the weighting methodology, as well as the detailed timetable and conditions for participation, will be further defined in the Rules of Contest.

Article Source: https://edps.europa.eu/data-protection/our-work/ipen/edps-ipen-privacy-design-contest-mobile-health-mhealth-applications_en