The ICO has launched its new guidance for app developers to help combat the public’s perception that personal information collected through apps is not being appropriately protected under the Data Protection Act 1998 (“DPA”).

What?

The Information Commissioner’s Office (“ICO”), responsible for data protection policy and enforcement, has turned its attention to app development, “one of the UK’s fastest growing industries”. The ICO intends to address the public concern regarding collection and use by app developers of consumers’ personal information by producing new guidance aimed at app developers.

So What?

The DPA stems from EC Directive 95/46 which was drafted at a time when the internet itself was (relatively) only in its infancy. The data protection implications of Apps were not at the forefront of legislators’ minds at the time. The intention, in order to address future technological developments, was therefore to keep the UK law technology neutral. However, these new programmes have raised issues not necessarily found in existing technologies, particularly due to the small screen in which they are viewed, the data that the app may access from an individual’s smart device and the security of that data once stored by the developer.

New challenges have therefore arisen for individuals providing their personal information in this way, for the app developers in ensuring they use such information in compliance with the relevant data protection law, and for the ICO in ensuring that legal obligations are supplemented with best practice recommendations.

The ICO’s focus on this area led to it recently asking consumers about their privacy concerns regarding apps when commissioning a YouGov survey. The results, which may be surprising to app developers, found that well over half (62%) of those surveyed that use apps are concerned with how app developers may use their personal information, with 49% of individuals confirming that they have made the decision not to download a specific app because they were worried about the privacy implications.

The ICO sums this up by stating: “this means that app developers are potentially losing over half of their market or risk pushing away nearly two-thirds of their hard won app users”.

So the message from the ICO to developers is clear: consumers are becoming extremely privacy savvy – their concerns around data protection must be addressed now, or app developers risk losing out on business. The ICO’s guidance, which can be viewed here, is designed to help developers setting up a new app or revamping their existing app. The key areas of guidance focus on:

  • identifying personal data – i.e. not just name or image, also information such as IMEI numbers, MAC address and mobile phone numbers;
  • determining who is the data controller;
  • collecting minimum data – to the extent necessary for the performance of the app;
  • privacy impact assessments or PIAs – developers should consider publishing the completed assessment, but should also regularly review and re-publish;
  • “privacy by design” – ensuring that data protection is a high priority when developing the app and as such ingrained in its framework;
  • “layered privacy notices” – so as not to weaken the user experience, the idea is to provide information in layers, if the user wants further information they can click on a link for more details;
  • transparency – information about the processing of users’ personal information should be presented before any personal information is collected – important information should not be hidden and developers should not try to mislead users;
  • the use of “just-in-time” prompts – to notify users when certain actions have particularly intrusive privacy implications, e.g. when geo-location information is being collected;
  • use of advertising – must be clear to users as well as the use of any analytics in the app; and
  • encryption – where storing data for later use or transmitting usernames, passwords and any particularly sensitive information, only established cryptographic methods and codes should be used.

Of particular importance here is the need to correctly identify which party or parties act or acts as data controller(s) under the DPA. In line with the 2013 Opinion of the Article 29 Working Party on Smart Devices and their 2010 Opinion on data controllers, the ICO will look carefully at who is controlling the purposes for which data is collected and the means of collection. Developers, Apps Stores and platform providers therefore need to very carefully consider what capacity they are dealing with any personal data (if at all). For example:

  • where developing an app on behalf of a client, the developer is unlikely to be a data controller, but the client would be and would expect the developer to incorporate “privacy by design”; 
  • where the developer is deciding what data is collected, storing personal data on their servers and also transferring data to other organisations (who process the data for their own purposes, such as an advertisement network) they may well be acting as a data controller; or
  • where personal data collected through the app transfers directly to a third party (who controls that data) and is not stored on the developer’s server.

It is important that each set of operations in relation to the personal data is reviewed. It’s quite possible for a developer and platform operator to have multiple roles and switch from processor to (joint) controller. Even where the developer isn’t the controller the ICO would still expect the developer to be fully transparent and explain to users what will happen to their data when they use the app. Of course, the parties’ obligations (if any) under the DPA should be identified when carrying out the privacy impact assessment. In addition, developers will need to test the user experience for all platforms that they are developing for and take into account what information is (and isn’t) provided to users by such platforms. To the extent that a platform is collecting personal data for their own purpose, they too may be a data controller.

Like the 2013 Article 29 Working Party Opinion on Smart Devices, the focus of this ICO guidance is on the consumer market for Apps, but it makes for uncomfortable reading for those in the business app market, and also raises questions for those providers of some cloud services where the degree of control over the purposes and means of processing may arguably be said to shift to the service provider.

Considering the spotlight on app developers and the impending developments in the draft EU data protection regulation, the recommendations set out by the ICO in its guidance should be taken seriously. If a complaint is made against an app developer, one of the first things the ICO would consider is compliance with its guidance. An ability to map over the guidance carefully into creation of apps may also be an opportunity for app providers when pitching against other providers to customers.