Last week, the increased focus of national data protection authorities on the processing of personal data through mobile apps was again confirmed in an open letter from a group of data protection authorities.

Earlier this year, the Global Privacy Enforcement Network (GPEN, consisting of 40 national and regional data protection authorities) carried out a ‘mobile app privacy sweep’ to scrutinize organisations’ collection and use of personal data on mobile apps. The privacy sweep offered an insight into the types of permissions sought by over 1,200 of the most popular apps, and the extent to which users of the apps were informed about the privacy practices of each such app. As a result of this sweep, it was found that the information obligation in particular is rarely complied with, and that numerous instances of apps which appeared to collect personal data did not have a privacy policy or offered other up-front privacy information. It was found that not providing users with up-front information about the processing of their personal data, removes the ability for such users to make decisions about the collection, use and disclosure of their personal data.

In view thereof, an open letter addressed to operators of app marketplaces (such as Google Play, Apple App Store, Samsung, Microsoft, Nokia, Amazon and Blackberry) has been drafted by the Canadian and Hong Kong data protection authorities, and was signed by data protection authorities from 22 other countries including Australia, Belgium, France, Germany, Colombia, Ireland, Israel, Italy, the Netherlands, South Korea, and the UK. In the letter, published on 10 December, app marketplaces are specifically targeted and asked to ensure that privacy policy links should consistently and mandatorily be included in app marketplace listings. It is found that such links to privacy policies provide a simple and user friendly manner for users to obtain more information about how their personal data will be processed if they were to use the app, and allows them to make informed decisions before deciding to download the app.

Although some operators of app marketplaces are explicitly mentioned in the letter, other stakeholders that operate an app marketplace are also addressed in the letter. These stakeholders are asked to play an exemplary role and make the commitment to require each app which allows for access to or collection of personal data, to provide users with timely access to the privacy policy of the app. Such commitment will contribute to the creation of more privacy transparency for users in the app marketplace.

The full letter can be consulted here: https://www.priv.gc.ca/media/nr-c/2014/let_141210_e.asp