On 14 March 2013, the Article 29 Working Party (“Working Party”), an independent advisory body that represents data protection authorities in the European Union (“EU”), announced that it had adopted an opinion (“Opinion”) addressing the key data protection risks of mobile apps and clarifying the applicable legal framework for the processing of data in developing, distributing and using apps.

The Working Party notes that on average 37 apps are downloaded per smart phone user and highlights that apps are able to collect and process significantly larger quantities of data from a smart device than is possible with a traditional internet browser due to the close interaction with the operating system of a smart mobile device. Whilst such data is used to provide new services to the end user it can also lead to the same data being used commercially in a manner unknown or unwanted by the end user.

Many types of data available on smart mobile devices are personal data, the processing of which is regulated in the EU by the Data Protection Directive (95/46/EC). In addition, the ePrivacy Directive (2002/58/EC as revised) requires that a user’s consent must be obtained in order to store any information on, or access it from, a device. The Working Party confirms that these laws apply to any app targeted to app users within the EU, regardless of the location of the app developer or app store, and identifies the following key data protection risks to end users:

  • Lack of transparency and awareness of the types of processing an app may undertake
  • Lack of free and informed consent from end users before that processing takes place
  • Poor security measures
  • An apparent trend towards data maximisation
  • The elasticity of purposes for which personal data are being collected

The Opinion sets out a number of recommendations which are aimed primarily at app developers but also apply to the other numerous players in the app development ecosystem including device and operating system manufacturers, app stores and analytics and advertising providers. The key recommendations include:

  • Consent: app developers must ask for (freely given, specific and informed) consent before installation of the app.
  • Purpose: app developers must provide well-defined purposes of the data processing before installation of the app and not change these purposes without renewed consent.
  • Policy: app developers must provide a readable, accessible privacy policy.
  • Tools: app developers should create tools that enable users to customize retention periods for their personal data.
  • Revocation/Deletion: app developers must allow users to revoke their consent and uninstall the app and delete data where appropriate.Operating system and device manufacturers should also enable users to uninstall apps and ensure all user data is deleted.
  • Security: operating system and device manufacturers should facilitate regular security updates.
  • Children: special precautions must be taken with respect to personal data collected from or about children.

The Working Party’s observation that significant risks can be posed to the private life and reputation of smart device users by app developers who are simply unaware of the data protection requirements is a timely reminder of the need for all those involved in the app ecosystem to make data protection and privacy by design a fundamental part of the development process. The EU data protection reforms currently being debated by the European Parliament propose to introduce a specific privacy by design obligation and once the new regime is in effect any breaches of this or other data protection obligations could potentially expose app chain players to future fines of up to 2% of annual worldwide turnover.

Please click here for a link to the press release.

Please click here for a link to the Opinion.