The Article 29 Working Party (WP29) recently published an opinion on software applications (apps) on smart devices. The opinion focuses on data processing in the development, distribution, and operation of apps. The opinion is aimed at app developers, Operating System and device manufacturers, app stores and third parties (such as advertising networks).
Data protection issues
The WP29 identified four key data protection attention points with regard to apps:
Information about data processing must be available to the user both prior to the downloading of the app, as well as after the app is fully installed on the smart device. Currently this is often not the case. The information that must be provided should include:
- The identity and contact details of the data controller;
- The precise categories of data that will be processed;
- The purpose of the data processing;
- Whether the data will be disclosed to third parties; and
- How users can exercise their rights, in terms of withdrawal of consent and deletion of data.
(ii) Free and informed consent
A valid consent is one where the user has first been informed of which data will be processed. The WP29 notes that a distinction must be made with respect to the legal grounds of consent on apps namely (i) consent for installation and (ii) consent for data processing, both of which are required. Clicking ‘Install’ will not be deemed as a valid consent for the processing of personal data. Both consents must always be provided in a free, specific and informed manner.
The WP29 also encourages the use of granular consent: allowing the users to specifically control which data processing functions they want to activate. Granular consent should be requested for several categories of data, such as location data, contacts, credit card and payment data and browsing history.
(iii) Security measures
Data controllers must ensure data protection through technical and organisational measures. All relevant parties should take into account the principles of privacy by design and privacy by default. This means e.g., that default settings are such, that they avoid the tracking of users.
(iv) Purpose limitation and data minimisation
The WP29 also underlines the principles of purpose limitation and data minimisation. This means that personal data should only be used for the purposes for which they were originally collected. Furthermore, only personal data, which are strictly necessary to perform a desired functionality should be collected.
Points to note
Furthermore, the WP29 also stresses that an app targeting users within the EU, will need to comply with EU data protection rules. Therefore, in this context, data controllers established outside of the EU will generally need to comply with EU data protection rules.
It seems that with some of these recommendations, the WP29 is anticipating the obligations that might arise under the future European General Data Protection Regulation. (MD) The opinion can be found on