On the 27th February, the Article 29 Working Party published an opinion on the privacy risks posed by apps installed on smart devices. It highlighted a “lack of awareness [of privacy requirements] amongst developers” and raised concerns that one-click installs could breach data protection requirements.

What?

The Article 29 Working Party (representing all the EU Data Protection Authorities) has issued an opinion on the privacy issues around app development, instalment and use on smart devices. The opinion reminds players about the strict legal requirements which apply. For example, a single-click app installation is unlikely to generate the necessary consent needed to collect the app users’ information (personal and other data).

The opinion targets app developers and owners, operating system and device manufacturers, app stores and other interested parties, such as advertising networks and analytic providers as well as communication service providers.

The opinion also contains a specific list of topics which the Working Party believes app providers must consider and steps that should be taken to minimise privacy risks in such apps. In many cases this will be relevant even where a player is outside the EU.

So What?

There are two key legal frameworks that should be considered in this area:

1. The ePrivacy Directive 2002/58/EC (and the Privacy and Electronic Communications (EC Directive) Regulations 2003, or “PECR”, in the UK)

In particular, Article 5(3) of the ePrivacy Directive requires that prior consent is obtained from the user for the placing of or giving access to information on a device (whether or not personal data). This also requires the user to have been provided with clear and comprehensive information about the processing of that data in advance. This obligation does not only apply to providers of publicly available electronic communication services and providers of public communications networks within the EU, but also to every “entity that places on or reads information from smart devices”.

2. Data Protection Directive 95/46/EC (and the Data Protection Act 1998 in the UK)

In relation to personal data, the Data Protection Act 1998 requires that all processing (which includes all actions taken with personal data from collection, through to storage, transfer and use until deletion) be in accordance with the data protection principles.

The opinion is likely to surprise some by the breadth of information viewed as personal data, including unique device identifiers such as IMEI, UDID and the mobile phone number.

A critical requirement of the data protection principles is that processing of personal data must be fair and lawful. This means that individuals must be reasonably aware of what is happening with their personal data and, in most cases where apps are processing personal information, must consent to that processing in advance. The Working Party specifically states, “In the case of apps, the principal applicable legal ground [to justify lawful use] is consent”.

Consent will not legitimise any use of personal data and excessive personal data collection and unexpected use of personal data will remain unlawful.

Dealing with Consent: Privacy Risks of One-Click Installs

The Working Party focused on the different consents involved. It is important to note the distinction between the consent required to place any information on and read information from the device and the consent necessary to have a legal ground for the processing of different types of personal data.

Whilst both types of consent must be freely given, specific and informed, the opinion goes on to state that “whilst many app stores provide an opportunity for app developers to inform end users about the basic features of an app prior to installation…[the positive action of clicking to download and install the app] is unlikely to provide sufficient information in order to act as a valid consent for the processing of personal data”.

According to the Working Party, many processes do not provide the user with an alternative to clicking “Yes, I accept”, for example to cancel or halt installation, and “simply checking an “install” button cannot be regarded as a valid consent” to process personal data because consent “cannot be a generally formulated authorisation”. In other words, consents have to be more granular and specific if they are to provide a valid basis for lawful use. Burying consent in terms and conditions or a privacy policy will no longer work. It will be a challenge to successfully balance the growing desire of users to have increased visibility about and control over their personal data, with the legal requirements whilst not bringing the real time and enjoyable use of smart devices to a grinding halt.

It is important to get the balance right, as the risks of non-compliance are set to increase. Currently, breaches of either the UK’s Data Protection Act or of the UK’s PECR may lead to fines of up to £500,000 and this looks set to increase to up to 2% of global turnover if the proposed draft EU data protection regulation is approved. Whilst the Working Party’s opinion is not law, the arguments made are likely to be persuasive to the data protection regulators if complaints are received about data processing being carried out without valid consent.

Those involved with smart device apps should assess and adjust their approach to privacy issues accordingly.