Mobile applications are wildly popular. Apple has recorded over 30 billion app downloads to its iOS based devices. Google has reached the 20 billion app download mark for Android devices in its Google Play Store. As mobile apps become more sophisticated, and the devices they run on become more integral to how consumers access digital services, the need to consider data protection principles in their development becomes ever greater.
Even low end smart phones are now packed with sensors and user data, from GPS location services to address books, all of which can be accessed by mobile app developers through APIs provided by the mobile OS creators. Indeed, the richness of a mobile app experience is often dependent on leveraging access to these APIs. However, this access has also resulted in high profile examples of apps accessing user data without the necessary consents.
Will the app collect personal data?
Personal data is information relating to a living individual who is or can be identified either from the data itself or from other information that is in the possession of, or is likely to come into the possession of, a data controller.
Examples of personal data that might be received from a user include: GPS location data, photographs, address book data, and access details for third party services (e.g. twitter and Facebook). It should be borne in mind that, even if an app does not gather any data from its users directly, the incorporation of third party analytics or advertising platforms will often involve the transmission of personal data.
If use of an app involves the collection of personal data it must comply with the main data protection principles set out below.
Data protection principles
- Fair collection and processing
- Processing must be legitimate
- Data must be kept only for specified, explicit and lawful purposes
- Processing of data must be adequate, relevant and not excessive
- Data must be collected, transmitted and stored with appropriate security measures.
How to ensure compliance
The key to compliance with the data protection principles listed above is the incorporation of a clear data protection notice, either in the app itself or in the app store or marketplace from which a user downloads the app. A well drafted data protection notification will inform a user of the type of data that is collected by the app and will tell them to what uses the data will be put. The notification will also incorporate a reference to the user’s consent to the collection and processing of the data. Where it is intended to use personal data collected for certain purposes, or if the personal data is classified as “sensitive personal data”, it will be important to obtain the express consent of users for such processing. It is also important to inform users of their right to request details of the personal data that is held about them and their right to have any inaccuracies corrected.
A further key area of compliance is the incorporation of industry standard security practices both in the app itself and in the back-end data storage/processing solution that is being employed. Any transmission of personal data from an app should use SSL encryption and any storage of data in an app should be encrypted using the tools provided in the mobile OS. If data is stored in servers which are under the control of the app developer, the physical security of the servers should also be addressed.
The following are common mistakes that are made by app developers:
- Updating app functionality without updating the data protection notice – incorporating a new feature in an app will often involve the collection of additional personal data, or the processing of personal data that has already been collected for a different purpose. Before updates are pushed out to users an updated data protection notice should be brought to their attention and their consent to the changes therein should be sought.
- Transmission of data outside of the EEA – if you are based in the EU, but use data storage or processing services which are based outside of the EEA, you may need the specific consent of users to the transmission of their data outside of the EEA. Alternatively, you can avoid the need for consent by clearly notifying users of the transfer and by incorporating certain contractual provisions in your agreement with the data storage or processing service provider.
- Insufficient security measures – as mentioned above, if your app transmits data over the HTTP protocol you should ensure that HTTP over SSL is used and properly configured. If your app needs to store personal data on the mobile device, whether in a database or as plain text files in the home folder, this should always be encrypted. Along with these basic rules you should ensure that you keep up to date with the latest security developments on all the platforms that you develop for.
- Apps that use sensitive personal data – Sensitive personal data includes, amongst other things, data about the users racial or ethnic origins, political opinions, religious or philosophical beliefs, and physical or mental health or condition. Even a seemingly innocuous app that tracks a user’s weight and backs up that data to a server in control of the developer would constitute the processing of sensitive personal data. The app would therefore require the express consent of users prior to that processing.