Mobile applications are convenient, entertaining, easy to handle, cheap and versatile. However, using apps means processing personal data and triggers data protection laws. The question therefore arises of what this means for the common user.
To answer this question, it is useful to remember role allocation under data protection law. On the one hand, the data controller wishes to process other people's personal data; on the other, the subject whose data is to be processed wants it to be protected. Therefore, data protection requires balancing these competing interests.
The data protection implications of app use can be best illustrated with an example. Consider a simple app such as, for example, an app to manage a calendar. The user uses the app to manage his or her personal calendar data and is therefore the data subject. The app provider processes the user's calendar data and is therefore the data controller. The provider's processing of the user's calendar data is legitimate as the user uses the app for this purpose, and indeed wishes the app provider to process the calendar data.
However, the situation becomes more complex if the app provides for joint calendar data management within a defined user group. For example, if a user synchronises all the other group members' calendar data in order to set a joint appointment, he or she processes not only his or her own calendar data, but also that of the other group members. Therefore, he or she is no longer the sole data subject and instead becomes a data controller of the other group members' data. Accordingly, all the provisions of the Data Protection Act that regulate a data controller's activities apply to the user.
Obligations under the act include:
- the need to register with the Austrian data protection authority;
- proper handling of data subjects' requests;
- ensuring that adequate security measures are in place; and
- adhering to the law's data breach obligations.
The user faces numerous regulatory provisions with which he or she might be unable to comply or of which he or she may be simply unaware. Although the calendar management example is relatively simple, when considering the diversity of all apps used on a daily basis and the number of users using them, it becomes clear that data protection legal issues will quickly arise.
The legal literature is well aware of this subject and discusses various approaches to solving it. One approach is the so-called 'household exemption', which allows unregulated data processing if it happens within the personal and private sphere of the data controller. Another approach suggests that users' consent must be gained. However, many apps trigger data processing that exceeds the processing of data within the sole private and personal sphere of the user. In those cases, the household exemption will not apply. Furthermore, none of the popular app stores currently provide for valid consent declarations.
This issue is still unresolved - users still risk being fully regulated, thereby having to adhere to all the obligations imposed by data protection law when processing other people's data through an app.
Users would thus be well advised to consider whether they would wish to have their own data processed in the same way before processing other peoples' data through an app. The processing of other people's personal data through an app triggers full responsibility under data protection laws.