The European Union (EU) Article 29 Working Party the independent advisory body to the European Commission on data protection and privacy, published an Opinion on 27 February 2013 on the data protection risks and recommendations for those offering mobile applications to users in the EU.
To that end, the Working Party has put forward a range of recommendations for each of the parties involved in the development and distribution of apps, from the app developers to the smart device and operating system (e.g. Android, Win8) manufacturers and the app stores.
You are an app developer based outside the EU, do you need to comply?
In a word, yes. A key finding of the Working Party is that the EU rules (currently Directive 95/46/EC as implemented by the 27 EU Member States’ national laws) do apply to any app which is targeted at users within the EU, regardless of the location of the app developer or app store. This is because the Directive (and the national legislation implementing the Directive) bites where data controllers use “equipment” in the EU for the processing of personal data and, in the case of mobile apps, the smart device on which the app is installed and used is treated as the relevant “equipment” for processing personal data. Therefore a US app developer offering its app for sale/download to customers within the EU would need to comply with EU rules.
What are the key findings/recommendations?
- Consent: when installing an app, certain information may placed on the device (e.g. “cookies” or similar tracking technology). Users should be given the choice to accept or refuse these and to accept or refuse the processing of their personal data, e.g. via a “Yes, I accept” option during installation of the app.
- Security: app developers, app stores, operating system and device manufacturers and third parties should ensure that they have appropriate organisational and technical measures to ensure the security of the data they process. They should adopt a “privacy by design” and “by default” approach.
- Outsourcing arrangements/arrangements with third parties: app developers may outsource some or all of their data processing activities to a third party (e.g. external data storage provider, customer service provider, analytics providers etc.). Data controllers must ensure that the third party complies with applicable EU rules when it processes data on their behalf, for example via a data processing agreement.
- Children: the Working Party appreciates that certain apps are designed for and target children specifically. However, app developers and other data controllers should pay attention to national age limits for processing personal data without parental consent (this may vary between 12 and 18 depending on the EU Member State) and consider the child’s level of understanding of data processing. Where relevant, parental consent to processing should be obtained.
The Opinion offers some useful guidance for all the relevant players involved in app development and distribution, in particular the need to provide clear and unambiguous information about data processing up front (on the app store and in app) and to ask for consents prior to installation, but perhaps of most interest is the confirmation that non-EU apps must comply with the EU rules where they are installed/used by users in the EU. The Opinion also refers specifically to the new concepts of “privacy by default” and “by design” which were introduced by the draft data protection Regulation (which will, if and when adopted, replace Direct 95/46/EC), and which would broadly require app developers to build in compliance with the EU data protection law by design, rather than tacked on as an afterthought.