The Article 29 Working Party (WP29) recently published an opinion on software applications (apps) on smart devices. The opinion focuses on data processing in the development, distribution, and operation of apps. The opinion is aimed at app developers, Operating System and device manufacturers, app stores and third parties (such as advertising networks).

Data protection issues

The WP29 identified four key data protection attention points with regard to apps:

(i) Transparency

Information about data processing must be available to the user both prior to the downloading of the app, as well as after the app is fully installed on the smart device. Currently this is often not the case. The information that must be provided should include:

  • The identity and contact details of the data controller;
  • The precise categories of data that will be processed;
  • The purpose of the data processing;
  • Whether the data will be disclosed to third parties; and
  • How users can exercise their rights, in terms of withdrawal of consent and deletion of data.

(ii) Free and informed consent

A valid consent is one where the user has first been informed of which data will be processed. The WP29 notes that a distinction must be made with respect to the legal grounds of consent on apps namely (i) consent for installation and (ii) consent for data processing, both of which are required. Clicking ‘Install’ will not be deemed as a valid consent for the processing of personal data. Both consents must always be provided in a free, specific and informed manner.

The WP29 also encourages the use of granular consent: allowing the users to specifically control which data processing functions they want to activate. Granular consent should be requested for several categories of data, such as location data, contacts, credit card and payment data and browsing history.

(iii) Security measures

Data controllers must ensure data protection through technical and organisational measures. All relevant parties should take into account the principles of privacy by design and privacy by default. This means e.g., that default settings are such, that they avoid the tracking of users.

(iv) Purpose limitation and data minimisation

The WP29 also underlines the principles of purpose limitation and data minimisation. This means that personal data should only be used for the purposes for which they were originally collected. Furthermore, only personal data, which are strictly necessary to perform a desired functionality should be collected.

Points to note

The WP29 emphasises that privacy compliance should be implemented from the development stage on by all parties involved. The WP29 expects far-reaching cooperation between the various parties involved to ensure privacy compliance on topics, such as consent, deletion of data and privacy-friendly default settings. Also, parties are encouraged to develop technical solutions, which would for example allow for an easily accessible privacy policy.

Furthermore, the WP29 also stresses that an app targeting users within the EU, will need to comply with EU data protection rules. Therefore, in this context, data controllers established outside of the EU will generally need to comply with EU data protection rules.

It seems that with some of these recommendations, the WP29 is anticipating the obligations that might arise under the future European General Data Protection Regulation. (MD) The opinion can be found on