The European data protection authorities of the Article 29 Working Party (WP29) published their joint Opinion 02/2013 on apps on smart devices on 14 March 2013. The Opinion comes one month after the Dutch Data Protection Authority and the Canadian Office of the Privacy Commissioner published the results of their collaborative investigation into the processing of personal data by WhatsApp Inc. Because of the data protection risks of mobile apps, their widespread use, and their popularity among children, mobile apps remain a priority for the European data protection authorities.
Data protection risks of mobile apps
The Opinion addresses the key data protection risks to end users of mobile apps. According to WP29, such risks range from a lack of transparency and awareness of the types of processing carried out by apps, to poor security measures, invalid consent mechanisms, trends towards data maximisation and elasticity of data processing purposes.
Obligations and recommendations
Applicable legal framework(s)
In order to address these data protection risks, the Opinion clarifies the legal framework applicable to data processing by apps. It notes explicitly that the principles of the Privacy Directive (95/458/EC) apply to the extent personal data are transferred from the app to the data controller. This can be the app developer, the operating system and device manufacturer, the app store, and other third parties. In addition, to the extent any of the parties involved in the app have actual access to the app and/or the device itself, they are subject to what is also referred to as the “cookie rule” under the ePrivacy Directive (2002/58/EC), and thus have to obtain prior informed consent for such access.
Data controller(s) involved in the app
The Opinion lists obligations and recommendations for complying with the applicable legal framework(s), specifically in the context of using and offering apps. The Opinion explicitly states that these obligations apply to the different parties involved in the app ecosystem, whilst noting that there may be an overlap of data protection responsibilities. However, the Opinion stresses the parties' joint responsibility to collaborate in order to achieve the highest standards of privacy and data protection.
Consent and duty to inform
Other obligations and recommendations
WP29 furthermore emphasises that data controllers for apps should apply the principles of purpose limitation and data minimisation as much as possible, for instance by very restrictively using unique, and often unchangeable, device identifiers. This is because users are unable to revoke their consent . Data controllers should also be mindful of the security measures they apply to their apps, by assessing on an ongoing basis existing and future data protection risks, and implementing effective mitigating measures, which include data minimisation. The application of reasonable retention periods includes implementing processes that take into account that users may have lost their mobile device or have switched devices, so that predefined periods of inactivity should be treated as an expiry of an account. Finally, app developers and data controllers should be particularly mindful of the vast popularity of mobile apps amongst children, and adapt information and consent procedures taking into account a child’s potentially limited understanding of and attention to these controls. Furthermore, children’s data should never, either directly or indirectly, be used for behavioural advertising purposes.