On 9 December 2014, authorities responsible for the regulation of privacy and data protection laws in 23 separate countries, including the UK (the Information Commissioner’s Office), Canada, Australia, Israel, several EU Member States and various other countries, published an open letter which, although addressed to leading providers of app marketplaces (“app stores”), contains recommendations for any businesses operating in the app sector.
The letter explains that 2014 was the year of the second Global Privacy Enforcement Network Privacy Sweep (the “Sweep”). One of the main issues uncovered by the Sweep was that many of the world’s most popular mobile apps (the Sweep reviewed over 1200) did not have privacy policies, and that although app stores afford an opportunity to include such policies, this is usually optional.
The letter’s authors state that app stores have a responsibility to address privacy as an aspect of consumer protection, and that privacy information (such as links to privacy policies) should be consistently supplied and be a mandatory requirement for apps which collect data. The letter concludes that it is expected that app stores will, if they have not already, take requisite steps necessary to effect this guidance.
It is somewhat unusual for privacy regulators to join together on a global scale to address quite such a specific issue as the responsibility of app store providers to promote mobile app privacy policies. However, the interaction between app stores and individuals is now a part of daily life and this has not gone unnoticed by regulators. The role of app stores in ensuring protection of user’s privacy and personal data has already been commented on by the European Union’s independent data protection advisory body, the Article 29 Working Party (see the link below to Opinion 02/2013, in which it was stated that “App stores are in an important position to enable app developers to deliver adequate information about the app, including the types of data the app is able to process and for what purposes. App Stores can enforce these rules by their admission policies”).
In targeting app stores with the letter, it would appear that regulators are hoping that this approach of collectively putting pressure on the key operators of app marketplaces will prove more effective at raising compliance among app providers than attempting to take direct action against individual non-compliant providers, which is rarely practical given the large numbers of such providers. Given, however, that the letter in question is not legally binding and will not directly compel any action on the part of its recipients or any other app store providers, there remains considerable doubt as to how effective it will be in practice.
A copy of the letter can be found on the website of the Office of the Privacy Commission of Canada at: https://www.priv.gc.ca/media/nr-c/2014/let_141210_e.asp.
The Article 29 Working Party’s Opinion 02/2013 can be found on the Europa website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf