Mobile Apps – what about Data Protection?

Recently the Article 29 Working Party (comprising the European Data Protection Regulators and which provides the European Commission with independent advice on data protection matters) adopted an opinion on mobile apps. It identifies privacy risks arising from the use of apps and analyses common scenarios relating to the development and use of apps in the light of current EU data protection and e-privacy law. It sets out a summary of the obligations to which the various players in the app market are subject, as well recommendations to improve user privacy.

Legal framework
The relevant legal framework is the Data Protection Directive and the requirement for specific consent for storing and retrieving information on and from a device under the ePrivacy Directive. These rules apply to any app targeted at users within the EU, regardless of the location of the app developer or app store. They cannot be excluded by unilateral declaration or contract.

Risks
The working party highlights the following risks arising from the use of mobile applications (apps):

• Lack of transparency.
• Lack of awareness amongst app users.
• Poor security measures.
• Invalid consent mechanisms.
• A trend towards data maximisation and elasticity of data processing purposes.

It cites the following causes:

• The fragmented nature of the app landscape.
• The wide range of technical access possibilities to data stored in or generated by mobile devices.
• The lack of legal awareness amongst developers.

Key principles
The working party specifies examples of categories of personal data that significantly impact privacy; these include not only location and contacts, but also unique device identifiers. Those who use the latter to deliver and track advertisements will be subject to EU privacy laws.

The working party focuses its legal analysis on the consent requirement, the principles of transparency, purpose limitation, data minimisation, security, retention and fair processing, particularly concerning children.

Security measures are specified for each type of player involved in the development and distribution of apps, identified as app developers, the app stores, the operating system (OS) and device manufacturers, and third parties such as analytics providers and advertising networks.

Overlapping obligations and recommendations
The working party analyses common scenarios and concludes that each type of player will be a data controller or joint controller in various specified instances. Examples of obligations and recommendations, in some cases overlapping, are set out below.

App developers must:

• Ask for (freely given, specific and informed) consent before installation of the app.
• Ask for granular consent for each specified category of data the app will access.
• Provide well-defined purposes of the data processing before installation of the app (for example, product innovation or market research will not suffice) and not change these purposes without renewed consent.
• Provide a readable, accessible privacy policy, which includes, for example, information about whether data will be disclosed to third parties, including a specific description of the recipients.
• Refrain from processing children’s data for behavioural advertising purposes.

The working party recommends that app developers, together with the OS and device manufacturers and app stores, ensure that users are adequately informed, for example, through a system of layered information notices and meaningful icons.

App stores must:

• Enforce the app developer’s obligation to inform users in simple, age-specific language.
• Provide detailed information on the pre-app marketplace submission privacy checks they make.

The working party recommends that app stores implement a privacy-friendly, remote uninstall mechanism and warn app developers about EU law on, for example, consent and international transfer requirements.

OS and device manufacturers must:

• Update their application programming interfaces, store rules and user interfaces to offer users sufficient control to exercise valid consent over the data that is processed.
• Implement consent collection mechanisms in their OS at the first launch of the app or the first time the app attempts to access one of the specified categories of data.
• Employ privacy by design principles to prevent secret monitoring of the user.
• Ensure (the default settings of) pre-installed apps are compliant with EU privacy law.
• Offer granular access to data, sensors and services to ensure that the app developer can only access necessary data.
• Provide effective means to avoid being tracked by advertisers and others (default setting).
• Ensure that the user is clearly informed of each access to a category of data before installation.
• Provide tools for security and to allow each functionality to be installed and uninstalled easily.

The working party recommends that OS and device manufacturers develop clear audit trails into the devices such that end users can clearly see which apps have been accessing data on their devices and the amounts of outgoing traffic per app, in relation to user-initiated traffic.

Third parties must:

• Together with the app developers and app stores, comply with the consent requirement under the ePrivacy Directive.
• Not circumvent any anti-tracking mechanisms.
• In the case of communications service providers when they issue branded devices, ensure the valid consent of users for pre-installed apps.
• In the case of advertising parties, specifically avoid delivering advertisements outside the context of the app and refrain from the use of unique device or subscriber identifiers for tracking purposes.
• Refrain from processing children’s data for behavioural advertising purposes.

Comment
The working party stresses that users must be in control of their own personal data. Its conclusions are aimed at ensuring high standards of user privacy and, arguably, user experience, although no doubt some developers and other players will take a contrary view. They might also contend that innovation and creativity will be stifled, particularly given the expansive view of what constitutes ‘personal data’ and the need to check the functionality of any third party software libraries that developers propose to use for compliance. However, the working party has challenged developers and others to come up with innovative solutions that achieve both commercial and privacy-related objectives.