They are convenient, entertaining, easy to handle, cheap and versatile. Apps - our mobile companions. But using Apps means processing personal data and triggers the data protection law. What does this mean for the common user?

To answer this question, it is useful to remember role allocation under data protec-tion law. On the one side is the data controller, who wishes to process other peo-ple’s personal data. On the other side is the data subject, whose data is to be pro-cessed and who wants it protected. In a nutshell, data protection means balancing their competing interests.

User versus App provider

What does this mean for the use of Apps? The data protection implications on the use of Apps can best be illustrated with an example. Considering a “simple” App, like an App for calendar management, things look easy. The user uses the App to manage his personal calendar data; he is the data subject. The App provider pro-cesses the user’s calendar data; he is the data controller. The provider’s processing of the user’s calendar data is still legitimate as the user uses the App for this pur-pose and, in fact, wants the App provider to process the calendar data.

But things become more complex if the App provides for joint calendar data man-agement within a defined user group. If a user, for example, synchronises all the other group members’ calendar data in order to fix a joint appointment, he not only processes his own calendar data but also that of the other group members. He is not the sole data subject any more. Instead, he becomes a data controller of the other group members’ data. Accordingly, all the provisions of the Austrian Data Pro-tection Act that regulate a data controller’s activities apply to the user.

The Austrian Data Protection app

These obligations range from the need to register with the Austrian data protection authority to the proper handling of data subjects’ requests, from ensuring that ade-quate security measures are in place to adhering to the law’s data breach obliga-tions, and more. Briefly, the user faces numerous regulatory provisions he might not be able to comply with, or might not even be aware of. The calendar manage-ment example might look tame but when considering the diversity of all the Apps being daily used and the masses of users using them, it becomes clear that data protection legal issues will quickly arise.

The legal literature is well aware of this subject and discusses various approaches to solving it. One approach is the “household exemption”, which allows unregulated data processing if it happens within the personal and private sphere of the data con-troller. Another approach sees the legal solution in gaining the users’ consent. But many Apps trigger data processing that exceeds the processing of data within the sole private and personal sphere of the user. In those cases, the “household exemp-tion” will not apply. Also, none of the popular App stores currently provide for valid consent declarations. So, this issue is still unresolved: users still risk being fully regulated, which means having to adhere to all the obligations imposed by data pro-tection law when processing other peoples’ data through an App.

Users are thus well advised to consider whether they would like to have their data being processed the same way before processing other peoples’ data through an App.