The Article 29 Data Protection Working Party has submitted its findings and recommendations on smart phone applications and related data protection and privacy issues.

Apps are developed with the capabilities to collect and process large quantities of personal data from a device. However, many developers remain unaware of the requirements of data protection legislation and as a result may risk data protection and security breaches. The key risks highlighted by the Working Party are the lack of transparency and awareness of the types of processing that downloading, installing and using an app may involve, combined with a failure to obtain any meaningful consent from end users before that processing takes place. This stems from a high degree of fragmentation between the various players in the market which include: developers; owners; stores; and Operating Systems and device manufacturers.

The EU legislation governing this area is currently the Data Protection Directive (95/46/EC) which applies specifically when the use of an app on a smart device results in processing an individual’s personal data imposes obligations on data controllers to protect such data. There is however currently a new draft General Data Protection Regulation (the “draft Regulation”) being debated at European Parliament level - and there is certainly an indication that some of the provisions of the draft Regulation – including those on explicit consent and privacy by design and default – were given consideration by the Working Party when drafting the Opinion. Additionally, the ePrivacy Directive (2002/58/EC) applies to protect users of apps. Notably, Article 5(3) of the ePrivacy Directive states that the storing of information and the gaining access of information is only allowed on the condition that the user has given consent, after being provided with clear and specific information.

The Working Party makes it clear that mobile apps used by individuals in the European Economic Area will come under the remit of both Directives – regardless of the location of the entity processing the data.

Who are the data controllers?  

While the developers are considered to be primary data controllers the Opinion recommends that OS and device manufacturers should also be seen as data controllers for any personal data which is processed for their own purposes, such as security. The Working Party further emphasises that “privacy by design” and “privacy by default” (two key principles that appear in the draft Regulation) will require manufacturers to embed data protection from the very beginning of design and that they also have important responsibilities to provide safeguards for the protection of personal data and the privacy of app users.

What constitutes valid end user consent?

The main focus of the Opinion is on the issue of consent, required under Article 7 of the Data Protection Directive to process personal data. This is an element of the draft Regulation that has also had much consideration of late. Any organisations that wish to rely on individuals’ consent to process personal data must, under the current Data Protection Directive, ensure that the consent they obtain is “unambiguous”. However the Commission has proposed in the draft Regulation changes that would require consent to be explicit, freely given, specific and informed and obtained through a statement or “clear affirmative action”. Despite some attempts by industry to water this down, this has recently received support from the European Data Protection Supervisor, Peter Hustinx, who has made it clear that he is a strong advocate of the Commission’s emphasis on explicit consent in the draft Regulation.

The ePrivacy Directive further requires that the user is provided with clear and comprehensive information before consent can be given to the placing and retrieving of information from a device. The consent must therefore be given prior to the installation of the app and thus the processing of personal data.

In order to give informed consent to processing end users need to know what type of personal data is being processed and for what purpose and intention. The Working Party see these elements as key information relating to the data processing and as such providing it only after the app has started to process personal data is not sufficiently legal or valid.

There is a distinction between consent required to place information on and read information from the device and any consent necessary to have a legal ground for the processing of different types of personal data. However, the two types of consent can be merged in practice either during the installation of the app or before the app starts to collect personal data from the device, provided that the user is made clearly aware of this.

“Freely given”

The fact that many app stores provide users with information about the basic features of an app prior to installation and then require a positive action from the user before the app is downloaded and installed, i.e. by a click to install button, may not fulfill the consent requirement as it is unlikely to provide sufficient information for the processing of personal data.  

The Opinion set out that, for the user to have “freely given” their consent, they must have a choice of accepting or refusing the processing of personal data. Therefore, the user should not be confronted with a screen only offering “Yes – I accept” option, but there should also be a cancel or decline option available to stop the installation. This is a clear move towards the approach of requiring affirmative action from the user for consent instigated by the Commission, and means that developers may well need to adopt a different approach when scoping and designing apps in the future.

Informed and specific

Further, the user should give “informed” and “specific” consent. This means they should be presented with the necessary information to form an accurate judgement and the consent should only relate to the processing of a particular data item or category of data processing. An approach suggested by the Working Party is to give the user granular consent; consent should be sought for each type of data the app will access. This achieves the aims of both informing the user and obtaining specific consent for each important element of the service. Simply producing a lengthy set of terms and conditions will not constitute specific consent.

It is still important that the consent should not be a licence for unfair and lawful processing. The purpose of the data processing should not therefore be excessive and/or disproportionate. Finally, and importantly, the user should be given the opportunity to withdraw consent at any time, in a simple manner.

Purpose limitation and data minimisation

The Working Party highlights that third parties obtaining access to the user data through apps must adhere to the principles of purpose limitation and data minimisation. The purpose limitation principle, which allows users to understand the purpose for which their data is used, excludes sudden changes in the key conditions of the processing. The app developers should also consider which data are strictly necessary to perform the desired functionality. Notably, app users should ensure that the type of processing is not changed from one version of an app to another without giving the end users the appropriate information and opportunity to withdraw from the processing or service.

Displaying information to the end user

The information about data processing must be available to users before installation of the app, and such information must also be accessible from within the app after installation. This also applies to personal data and app users should not have to search the web for information of how their personal data is used.

The Working Party also stresses that app users should be able to exercise their rights of access, rectification, erasure and objection to use of data processing. To this end, access tools should be preferably available within each app, or by offering a link to an external site. The manner in which withdrawal of consent is offered should be simple and it must be possible to un-install apps and remove all personal data from servers of the data controller. This echoes the controversial ‘right to be forgotten’ that is present in the draft Regulation and may cause concern for developers in relation to how to achieve this in practice – especially in the case of servers accessed through cloud computing.

Other data controller obligations  

Due to the fragmented nature of the app market and the numerous parties involved, every app should have a single point of contact, who will take responsibility for all the data processing that takes place. The user should know who is legally responsible for the processing of their personal data. End users should also be informed whether personal data can be reused by other parties and for what purposes. The Working Party have therefore recommended that data controllers provide the following information: retention periods of the data and security measures applied, as well as how such privacy policies comply with European data protection law and the US Safe Harbor Framework.

The approaches detailed in the Opinion may add additional burdens on developers, many of which are small start-ups that may not have access to additional resource to deal with such requirements. This goes to the heart of recent considerations being given to the draft Regulation, in terms of the balance to be struck between protecting the rights of the individuals and ensuring the new regime has the flexibility necessary to nurture, and not stifle, creativity.

Regardless of how this is read in the context of the draft Regulation however, it is clear from the numerous findings and recommendations of the Working Group, that app developers need to have data protection and privacy breaches in mind when inventing and developing apps as the market expands and technologies progress.