Concerns over user privacy quickly followed the craze for FaceApp. The Cnil responds.

The French Supervisory Authority (the Cnil) has just published a set of guidelines and tutorials this Friday, 19 July, signalling potential privacy issues when using apps such as FaceApp.

First, the Cnil reminds users that mobile apps should be downloaded only from official stores (e.g.: App Store or Google Play) and accordingly refers to its Facebook post earlier this year listing 29 fraudulent photo editing apps.

The Supervisory Authority then draws attention to several key rights afforded to users under GDPR: the right to know whether their data is stored in or outside the EU, whether their data is shared with third parties or used for secondary purposes, and how to exercise the right to object, erase or access.

The Cnil alludes to these points as they are missing, either entirely or partially, from FaceApp's Terms of Use, making the app noncompliant with articles 12 and 13 of the GDPR. In so doing, the regulator also offers a brief legal response to the wave of anxiety regarding the storage of FaceApp’s users’ personal data.

Pursuant to article 13.1.f of the GDPR, FaceApp should inform its users if their data is stored in Russia, where the app is run. Only applications retaining data in the Europe Economic Area are not subject to this requirement. Moreover, when personal data is transferred from the EU to a country that does not ensure an adequate level of protection according to the European Commission, such as is currently the case with Russia or the United States, users have the right to know what appropriate safeguards have been taken.

Without partaking in the current debates on the confidentiality risks and drawbacks of having data stored in such countries, the Cnil specifies that is crucial to verify in the phone settings (a) whether the app can access only selected photo(s) or all photos stored in the mobile, and (b) to revoke access to cameras and to mobile data after use.

Very often, photo editing apps pop up authorisation clauses that users accept without reading, granting a wide or unlimited access to mobile content in a manner inconsistent with the GDPR principle of data minimisation (article 5.1.c).

In the case of FaceApp, users grant "a perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly perform and display your User Content and any name, username or likeness provided in connection with your User Content in all media formats and channels now known or later developed, without compensation to you" (see Terms of Use).

It is therefore in users’ interest to ensure that they exercise caution when granting the app access to their data, especially when it involves photos of relatives who did not consent to the use of their data and a fortiori these Terms of Use.