Concerns over user privacy quickly followed the craze for FaceApp. The Cnil responds.
The French Supervisory Authority (the Cnil) has just published a set of guidelines and tutorials this Friday, 19 July, signalling potential privacy issues when using apps such as FaceApp.
First, the Cnil reminds users that mobile apps should be downloaded only from official stores (e.g.: App Store or Google Play) and accordingly refers to its Facebook post earlier this year listing 29 fraudulent photo editing apps.
The Supervisory Authority then draws attention to several key rights afforded to users under GDPR: the right to know whether their data is stored in or outside the EU, whether their data is shared with third parties or used for secondary purposes, and how to exercise the right to object, erase or access.
Pursuant to article 13.1.f of the GDPR, FaceApp should inform its users if their data is stored in Russia, where the app is run. Only applications retaining data in the Europe Economic Area are not subject to this requirement. Moreover, when personal data is transferred from the EU to a country that does not ensure an adequate level of protection according to the European Commission, such as is currently the case with Russia or the United States, users have the right to know what appropriate safeguards have been taken.
Without partaking in the current debates on the confidentiality risks and drawbacks of having data stored in such countries, the Cnil specifies that is crucial to verify in the phone settings (a) whether the app can access only selected photo(s) or all photos stored in the mobile, and (b) to revoke access to cameras and to mobile data after use.
Very often, photo editing apps pop up authorisation clauses that users accept without reading, granting a wide or unlimited access to mobile content in a manner inconsistent with the GDPR principle of data minimisation (article 5.1.c).