The European data protection authorities of the Article 29 Working Party (WP29) published their joint Opinion 02/2013 on apps on smart devices on 14 March 2013. The Opinion comes one month after the Dutch Data Protection Authority and the Canadian Office of the Privacy Commissioner published the results of their collaborative investigation into the processing of personal data by WhatsApp Inc. Because of the data protection risks of mobile apps, their widespread use, and their popularity among children, mobile apps remain a priority for the European data protection authorities.

Data protection risks of mobile apps

The Opinion addresses the key data protection risks to end users of mobile apps. According to WP29, such risks range from a lack of transparency and awareness of the types of processing carried out by apps, to poor security measures, invalid consent mechanisms, trends towards data maximisation and elasticity of data processing purposes.

Obligations and recommendations

Applicable legal framework(s)

In order to address these data protection risks, the Opinion clarifies the legal framework applicable to data processing by apps. It notes explicitly that the principles of the Privacy Directive (95/458/EC) apply to the extent personal data are transferred from the app to the data controller. This can be the app developer, the operating system and device manufacturer, the app store, and other third parties. In addition, to the extent any of the parties involved in the app have actual access to the app and/or the device itself, they are subject to what is also referred to as the “cookie rule” under the ePrivacy Directive (2002/58/EC), and thus have to obtain prior informed consent for such access.

Data controller(s) involved in the app

The Opinion lists obligations and recommendations for complying with the applicable legal framework(s), specifically in the context of using and offering apps. The Opinion explicitly states that these obligations apply to the different parties involved in the app ecosystem, whilst noting that there may be an overlap of data protection responsibilities. However, the Opinion stresses the parties' joint responsibility to collaborate in order to achieve the highest standards of privacy and data protection.

Consent and duty to inform

The Opinion clarifies that consent will in most cases be the only available legal basis for processing personal data, which should be applied separately from the consent requirement for accessing the user’s device under the “cookie rule”, if applicable. In addition, consent should be given freely and specifically, which means that clicking a general “accept” or “install” button will generally be insufficient to constitute valid consent. Users should ideally be able to give a granular consent for each type of data the app intends to access. With regard to providing adequate information, the Opinion notes that the limited size of the screen does not relieve the data controller from providing adequate and complete notice about the relevant aspects of the app’s use of personal data. In this sense, a link to a lengthy privacy policy that cannot easily be read on a smart device is insufficient. Instead, the Opinion recommends a layered approach, presenting users with easily accessible and highly visible information on the key elements of the data processing on the mobile device, and allowing them to link through to more extensive explanations such as a privacy policy. The use of icons and images is encouraged.

Other obligations and recommendations

WP29 furthermore emphasises that data controllers for apps should apply the principles of purpose limitation and data minimisation as much as possible, for instance by very restrictively using unique, and often unchangeable, device identifiers. This is because users are unable to revoke their consent . Data controllers should also be mindful of the security measures they apply to their apps, by assessing on an ongoing basis existing and future data protection risks, and implementing effective mitigating measures, which include data minimisation. The application of reasonable retention periods includes implementing processes that take into account that users may have lost their mobile device or have switched devices, so that predefined periods of inactivity should be treated as an expiry of an account. Finally, app developers and data controllers should be particularly mindful of the vast popularity of mobile apps amongst children, and adapt information and consent procedures taking into account a child’s potentially limited understanding of and attention to these controls. Furthermore, children’s data should never, either directly or indirectly, be used for behavioural advertising purposes.