The EU's principal oversight body for data protection has adopted an opinion which discusses the main EU law data privacy issues of cell phone and smart device "apps".

Concerned, clearly, that the app world, so to speak, may be oblivious, advertently or otherwise, to the requirements of EU rules that apply for the protection of personal data, the EU has provided a strong hint regarding compliance via the issuing of this opinion.

The so-called Article 29 Working Party is comprised of representatives from the EU Member States and EU Commission. It has advisory status on EU data privacy issues and acts independently.

This opinion, though not legally binding, is of considerable use, interest and applicability to businesses who are active in the EU and who are involved in the mobile app "ecosystem", including: app developers; device manufacturers; app stores; and other third parties (e.g.: advertisers and analytics providers).

Applicable law

The Article 29 Working Party gave its opinion chiefly against the legislative background of the EU Data Protection Directive 95/4/6/EC (the "Directive"). The Directive imposes a range of data privacy obligations upon "data controllers" (namely, persons who determine the purposes and means of the processing of personal data).

The Directive will apply in any case where the use of apps on smart devices involves processing personal data of individuals. Whenever a party involved in the app ecosystem acts as a data controller, they will be required to comply with Directive.

The Article 29 Working Party also considered the EU e-Privacy Directive (2002/58/EC), which provides that the gaining or storing of information on the terminal equipment of a user is only allowed where the user has given informed consent.

Apps and the personal data they process

The opinion notes that smart devices store and/or generate many types of personal data. This data may include a person's location, contacts, browsing history or identity (to name but a few examples). Such data can be processed either on the device or (once transferred) on app developers' or third party infrastructure via external connections. This may occur in real-time and without the user's knowledge.

Key Data Privacy Risks posed by apps

The opinion identifies several data privacy risks in relation to apps. The main risk stems from the degree of fragmentation between the many players in the app development landscape. This is because a single piece of data can be transmitted through a chain of such players on a global basis. Other key risks include: the lack of transparency and user awareness of/appropriate consent to data processing when using an app; poor security measures; and the trend towards data maximization and elasticity of purposes for which data is collected in the app environment.

Recommendations

The opinion lists a number of data privacy recommendations for each of the various players in the app ecosystem. In all cases, those players must be aware of (and comply with) their obligations as data controllers under EU data privacy law when they process data from and about users.

Amongst other things, the opinion advises that:

  • app developers must ask for appropriate consent before the app starts to retrieve or place information on the mobile device;
  • app stores should enforce data privacy information obligations upon app developers; and
  • device manufacturers must ensure that data processed on devices is secure and employ "from the ground-up" privacy by design principles to prevent secret monitoring of the app user.

The opinion places considerable importance on the principles of "purpose limitation" and "data minimisation". Users must be provided with well-defined limits to the purposes for which their personal data will be used. App developers must also take care to consider which personal data are strictly necessary to perform the app's desired functionality, and how low long the app will retain that data for.

In addition, app users must be provided with appropriate information about how their personal data will be processed by the app, so that they may give the required "informed" consent to such processing. This information must be provided to users before app installation, perhaps via the app store. The information should also be available within the app itself, post-installation. Users should also be able to exercise their rights over that data via simple but secure online access tools.

Finally, the opinion underlines the special attention that must be placed on observing data privacy principles and obligations as regards younger users of apps.

Concluding comments

The rise of the smart device app coincides with the rise of data privacy compliance up the agendas of both legislators and businesses alike. This opinion provides welcome and useful guidance to businesses involved in this fast-growing area of electronic commerce within the EU's internal market. It flags up the legal pot holes in this area, and illustrates how the various players in the app ecosystem can work and co-ordinate themselves to achieve better compliance levels with the current EU legislation.

App developers in particular should take heed of the opinion's contents in order to prevent otherwise avoidable liability issues in the future. After all, incurring unnecessary fines and being subjected to avoidable regulatory investigations would not be considered to be that "smart"?