The Article 29 Working Party (the “A29WP”), a grouping of representatives from the various European data protection and privacy regulators, recently issued an opinion on apps on smart devices.
There are two constants with the A29WP’s opinions:
- Firstly, although often presented as such, they are not an authoritative statement of the law. They simply set out the collective (sometimes aspirational) interpretation of the European data protection directive.
- Secondly, the opinions set out a far stricter interpretation of the directive than that usually taken by the UK’s Information Commissioner’s Office (ICO). This reflects the fact that the ICO usually takes a more business friendly/pragmatic approach to interpreting the law than some of its European counterparts.
That said, the latest opinion provides some useful guidance for app developers, and builds on previous guidance from California’s attorney general and the GSMA, which I summarised in this blog post last year.
The guidance also follows on from the so-called Cookie Law, which (contrary to popular opinion) also applies to mobile apps.
Why do mobile apps raise privacy concerns?
As I noted in that blogpost, there are a number of reasons for the current privacy deficiencies with mobile apps:
- The market is immature, with many apps developed by individuals or small companies not familiar with privacy laws, but whose products have become hugely popular.
- The distribution model is fragmented and apps frequently incorporate third party services (for example, mapping providers) into their functionality. SDKs and OS developer rules impose strict controls on developers, yet they don’t provide the necessary tools to ensure that developers adopt privacy by design.
- The mobile app market has developed at the same time as a vast expansion in the data created by devices, such as geolocation data.
- Many app developers are located outside the EU and are therefore unfamiliar with European privacy rules, despite the fact that they are selling their apps to users in the EU.
The opinion imposes a number of requirements on app developers. These include:
- App developers must understand their obligations as data controllers when they process data from and about users.
- Freely given, specific and informed consent must be sought before an app is stalled.
- Granular consent must be obtained for each specific category of data that the app will access.
- The user must be provided with well-defined details of the purposes for which data will be processed before the app is installed. General purposes such as “product innovation” or “market research” are, in the A29WP’s opinion, not sufficient.
- The purposes for which data is processed must not be changed without obtaining new consent from the user.
- Allow users to revoke their consent and uninstall the app and delete data where appropriate.
- Incorporate data minimisation and privacy by design/default.
This is presumably why the opinion also sets out a number of requirements on app stores and OS and device manufacturers, even though there appears to be little base in law for such requirements (the neither party is a data controller in relation to data primarily processed by the app/the app developer).
These requirements, for example, oblige app stores to check that app developers have incorporated appropriate consent mechanisms, and obligations on OS manufacturers to build additional controls into their OS APIs to facilitate consent to access data on the device.
The practical approach
The opinion also skims over one of the other big issues with mobile apps – the use of third party services. In many cases, I suspect that app developers simply aren’t aware of which party is responsible for data protection compliance. Where third party services are utilised (for example, mapping or geolocation), there will often be multiple data controllers. However, the app developer is the party that controls the primary interface with those third parties and therefore needs to flag the terms on which such third parties will use the data collected.
Given the opacity of the policies provided by many third party service providers (and the lack of clear guidance from regulators when the revised cookie law came into force), working this out is often difficult.
You can read the A29WP’s opinion in full by following this link (PDF). If you are an app developer and would like to discuss how your app collects data, and what you can do to ensure that it complies with EU data protection law, please get in touch.
On April 18, 2013