Recently the Article 29 Working Party (comprising the European Data Protection Regulators and which provides the European Commission with independent advice on data protection matters) adopted an opinion on mobile apps. It identifies privacy risks arising from the use of apps and analyses common scenarios relating to the development and use of apps in the light of current EU data protection and e-privacy law. It sets out a summary of the obligations to which the various players in the app market are subject, as well recommendations to improve user privacy.
Legal framework
The relevant legal framework is the Data Protection Directive and the requirement for specific consent for storing and retrieving information on and from a device under the ePrivacy Directive. These rules apply to any app targeted at users within the EU, regardless of the location of the app developer or app store. They cannot be excluded by unilateral declaration or contract.
Risks
The working party highlights the following risks arising from the use of mobile applications (apps):
It cites the following causes:
Key principles
The working party specifies examples of categories of personal data that significantly impact privacy; these include not only location and contacts, but also unique device identifiers. Those who use the latter to deliver and track advertisements will be subject to EU privacy laws.
The working party focuses its legal analysis on the consent requirement, the principles of transparency, purpose limitation, data minimisation, security, retention and fair processing, particularly concerning children.
Security measures are specified for each type of player involved in the development and distribution of apps, identified as app developers, the app stores, the operating system (OS) and device manufacturers, and third parties such as analytics providers and advertising networks.
Overlapping obligations and recommendations
The working party analyses common scenarios and concludes that each type of player will be a data controller or joint controller in various specified instances. Examples of obligations and recommendations, in some cases overlapping, are set out below.
App developers must:
The working party recommends that app developers, together with the OS and device manufacturers and app stores, ensure that users are adequately informed, for example, through a system of layered information notices and meaningful icons.
App stores must:
The working party recommends that app stores implement a privacy-friendly, remote uninstall mechanism and warn app developers about EU law on, for example, consent and international transfer requirements.
OS and device manufacturers must:
The working party recommends that OS and device manufacturers develop clear audit trails into the devices such that end users can clearly see which apps have been accessing data on their devices and the amounts of outgoing traffic per app, in relation to user-initiated traffic.
Third parties must:
Comment
The working party stresses that users must be in control of their own personal data. Its conclusions are aimed at ensuring high standards of user privacy and, arguably, user experience, although no doubt some developers and other players will take a contrary view. They might also contend that innovation and creativity will be stifled, particularly given the expansive view of what constitutes ‘personal data’ and the need to check the functionality of any third party software libraries that developers propose to use for compliance. However, the working party has challenged developers and others to come up with innovative solutions that achieve both commercial and privacy-related objectives.
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.