On 13 March 2013, the Working Party released its Opinion (adopted on 27 February 2013), which addresses key data protection issues surrounding the development and use of apps on mobile devices. The Opinion notes that the average user will install 37 apps, which then have access to large amounts of personal data. Smart devices can also capture data about the user's location and surroundings in real time from sensors on the device, such as GPS and microphones.
The Opinion confirms the obligations which are to be met by any processor of information collected from a smart device, including app developers, app stores and device and operating system manufacturers. It also contains non-binding recommendations.
The Opinion highlights some key risks that apps pose to data protection:
- ack of awareness of end users of the types of data that an app may collect;
- failure by apps to acquire meaningful consent from end users;
- poor security measures to protect the data collected; and
- app developers lack of awareness of data protection especially the principles of purpose limitation and data minimisation.
The Working Party notes that specific consent is needed for the processing, storing and accessing of any data on smart devices within the European Economic Area, regardless of the location of app provider.
The Opinion sets out recommendations, mainly aimed at app developers, as they have the greatest influence over the manner in which the data is processed and the information provided to users of the app. Key recommendations are:
- App developers must ask for consent before the app starts to collect data from (or place data on) the device. Developers should ensure that consent is informed and specific – i.e. install button is not sufficient for this. Granular consent is recommended;
- Apps must only collect data that is strictly necessary for the app to perform the desired functionality;allow end users to exercise rights of access, rectification, erasure and the right to object to processing of their data;
- Define a reasonable period of time for data collected within the app to be retained. Dormant apps should be treated as expired and data deleted;
- App stores should enforce the information obligations of the app developer;
- Operating system and device manufacturers should work together to provide easy access to regular security updates; and
- When dealing with users who are minors, app developers should exercise higher levels of care and pay strict attention to the principles of data minimisation and purpose limitation.
The Working Party also recommends that all involved in the eco-system use their creativity to enhance data protection compliance – so developing icons to alert users and developing user-customizable retention periods.