The 29 Working Party has recently adopted an opinion drawing attention to the privacy risks of mobile apps and the importance of all the players involved within the mobile apps world. Accordingly, mobile apps collect process and store a huge amount of personal data and of different categories, including sensitive data, without complying with the Data Protection Directive.
Scope: any app targeted to app users within the EU
To begin with the 29 Working Party underlines that the European Privacy Rules applies to any app targeted to app users within the European Union, despite the location of the app developer or app store.
Goes on addressing the several privacy risks for app users mostly linked to the wide range of technical access possibilities to data stored in or generated by mobile devices as well as to the lack of privacy and data protection awareness of the several players.
Main rules app players should comply with
To face those risks, the 29 WP highlights the need to:
- give individuals control of their own personal data by providing comprehensive information before any processing takes place and transparency;
- collect prior, free, specific and informed consent from the apps users for the purposes declared;
- enhance security measures to avoid unauthorised processing by means of data maximisation and wide-ranging purposes;
- protect children by adopting a more restrictive approach, use a clear and simple language and refrain from some processing, such as behavioural advertising as well as collect from them data from their relatives and/or friends;
- the mobile apps players be aware of their own responsibilities and cooperate with each other as a team to reach efficient and higher standards of privacy and data protection.
App players’ to do lists
And concludes with a long to do lists and recommendations to each of the app players - app developers, app stores, operating system and device manufacturers as well as third parties (such as analytics providers and advertising networks) – in order to comply with the European Privacy Rules.
Within the large to do lists applicable to the app players, among other tasks, we can see:
- Ask for granular consent for each type of data the app will access;
- Provide well-defined and comprehensible purposes in advance to installation of the app and broad information if the data will be used for third party purposes;
- Allow users to revoke their consent and uninstall the app as well as delete data where appropriate;
- Respect the data minimization principle by collecting data on a need basis to perform the users request;
- Implement the privacy by design principle in all stages of the app’s design and development;
- Define a reasonable retention period for data collected and predefine a period of inactivity.
- Enforce the information obligation of the app developer giving a special attention to children;
- Provide detailed information on the app submission checks performed.
Operating System and device manufacturers
- Implement consent collection mechanisms in the apps operating system;
- Employ privacy by design principles;
- Offer granular access to data, sensors or devices;
- Provide default settings to avoid tracking;
- Inform and educate users;
- Implement security with tools that prevent malicious apps from spreading and allow in an easy way the functionalities installation and uninstallation.
- Not circumvent any mechanism designated to avoid tracking;
- Ensure the valid consent of users for pre-installed apps (applicable to communications service providers);
- Avoid delivering ads outside the context of the app and refrain from the use of unique device or subscriber identifiers for the purpose of tracking (applicable to advertising parties);
- Apply appropriate security measures.
How to ensure the effectiveness of these rules and recommendations?
Without questioning the existence of the privacy risks of mobile apps as stressed by the 29 WP in its most recent opinion and agreeing with many of the considerations made not only as far as the apps players responsibilities are concerned but also to the recommendations made by the 29 WP, I believe that no effectiveness will be reach if the users (in their majority) continue to follow the by default “I don’t care” approach or, even worse, if the so many obligations and recommendations that each of the apps players should comply with may be eventually counterproductive.
What about users and Regulators?
In my opinion there are two other players that should not be forgotten: the users and the Regulators as the responsibilities on privacy issues should not be left solely to the economic operators. I believe that the users should be somehow encouraged to be more aware and care about these matters that have significant effects on them and the Regulators should perform an important role to achieve such goal by educating and promoting awareness campaigns in a proactively basis as well as participative activities that motivates interaction of the users in privacy matters such as those arising from the use of mobile apps.