The Article 29 Working Party (WP29) adopted – on 27 February 2013 – Opinion 02/2013 on apps held on smart devices, in which it cited a lack of transparency, free and informed consent, and disregard of the purpose limitation principle as some of the key data protection risks to end users. ‘Apps are able to collect large quantities of personal data from the device’, read the release. ‘This often happens without the free and informed consent of users, resulting in a breach of European data protection law.’

Phillip James, Partner at Pitmans SK Sport & Entertainment LLP, told DataGuidance: “For anyone involved in developing commercial strategies for smart devices, the WP29′s Opinion is a must read; ignore opinions such as this at your peril – see Path’s $800,000 fine by the Federal Trade Commission earlier this year.”

Article 5(3) of the ePrivacy Directive requires consent from the user, having been provided with clear and comprehensive information, before the placing and retrieving of information from a device. Kasey Chappelle, Global Privacy Counsel for Vodafone, said: “This important guidance from our regulators needs to be looked at in tandem with the work the mobile industry has done to meet consumer expectations on how their personal information is used on their devices, like the GSMA’s Mobile Privacy Initiative and the resulting Privacy Design Guidelines for Mobile Apps and Accountability framework.”

A GSMA survey prepared in September 2011 showed that 92% of all users had concerns when applications collected personal data without their consent.

The WP29 stated that many apps either do not have a privacy policy or fail to inform users in a meaningful way about the type of personal data the app may process and for what purposes. Pat Walshe, Director of Privacy at the GSMA, said: “The WP29 is sending a message that you cannot bury key terms in long legalistic privacy policies and expect that this amounts to ‘consent’ to access information stored on a users’ mobile phone or collect sensitive data not related to the purpose of the app”.

The WP29 refers to a previous Opinion (10/2004) on the benefits of layered notices to adequately inform end users of an app’s data collection practices to circumvent the limitations of how much information can be presented on a small screen. “Just-in-time consent is the watchword”, said James. “By providing the necessary information at the most relevant moment, a user is likely to take notice. However, just-in-time consent is not the silver bullet. It is one piece of a larger, complex jigsaw”.

User consent must also be ‘specific’ and ‘simply clicking an install button cannot be regarded as valid consent for the processing of personal data [as it] cannot be a generally formulated authorisation’. Whilst clicking ‘Install’ can fulfil the consent requirement under Article 5(3) of the ePrivacy Directive, the WP29 states ‘it is unlikely to provide sufficient information in order to act as valid consent of the processing of personal data’. The Opinion recommends a granular approach, where consent is sought for each type of data the app intends to access.

“Whether further and additional consents are required is dependent on a number of factors and very much depends on context,” said Walshe. “For example, installing an app to locate my nearest cash machine – my consent is implicit in the act of installing the app and demanding that my device be located. The only time I would expect to provide additional consent is if the app wished to use my location for purposes outside of its original purpose – for example, to advertise location based offers to me, or to build a profile of my movements when not making direct requests to be located.”

Chappelle said: “We do have some concerns about the extent to which the regulators’ guidance relies solely on consent as the justification for applications’ data use. This is why we work with our developers to find effective ways to design privacy into apps that comply with regulatory requirements, give customers meaningful choices and are as transparent and consumer-friendly as possible.”

The WP29 warns, that fulfilling the conditions of valid consent does not give an app license for unfair and unlawful processing, and must respect the principles of purpose limitation and data minimisation.

Other elements addressed by the Opinion include issues of security, and children’s data, as well as the responsibility of the actors in the mobile app ecosystem – developers, OS and device manufacturers, app stores and third parties.

Republished article courtesy of DataGuidance, the Global Database for Data Protection and Privacy Compliance