The Article 29 Data Protection Working Party (the "Working Party") has warned that many app developers are failing to comply with European data protection law by collecting personal data on end users from apps on their mobile devices without obtaining sufficient consent to do so.
The body, which represents all data protection authorities throughout the European Union, has published an opinion on mobile apps which sets out the specific obligations that app developers must comply with when designing and deploying apps that will collect personal data from end users' devices. The opinion also discusses the requirements that app stores, advertising providers, operating system providers and device manufacturers must consider in order to comply with European data protection law.
In its opinion, the Working Party has said that:
- Before an app developer can collect personal data via an app, it must obtain freely given, fully informed, specific consent to the collection and use of the personal data from an end user before the app is installed on the end user's device;
- There is an obligation on app developers to inform end users of who is going to be collecting and controlling their personal data, the types of personal data that are going to collected, why it is going to be collected and how it is going to be used, whether any personal data will be disclosed to third parties and how users can withdraw consent and have their data deleted if they wish to do so;
- An app developer must enable end users to manage their consent to the different ways in which the developer proposes to use the personal data collected;
- The purposes of any data processing must be well defined, be comprehensible and remain within the limits communicated to the end user;
- An app developer must, where it is necessary to retain personal data, only retain it for a reasonable period; and
- Special precautions must be taken with respect to personal data collected from or about children.
The Working Party also expressed its concern about the adequacy of security measures currently being adopted by app developers to protect personal data that they collect via apps. App developers must ensure that they take appropriate security measures to protect any personal data from being lost, stolen or accessed or disclosed without authorisation. App developers must also take care not to stretch or exceed the purposes for which they are collecting and using personal data if they are to avoid breaking European data protection law.