Apps on mobile devices collect large quantities of data from the device and process these (i) in order to provide services to the end-user, but also (ii) for other purposes that are often unknown or unwanted by the end-user. Many of the data processed, such as location data, contact data, unique device and customer identifiers, credit card and payment data, browsing history, pictures, videos, etc., are personal data under EU data protection laws.

The various parties involved in the development and commercialization of mobile apps (or other mobile applications) are often unaware of their obligations under data protection law. These parties include app developers, app owners, app stores, operating system and device manufacturers and other third parties that may be involved in the collection and processing of personal data from smart devices.

In its opinion of February 27, 2013, the Article 29 Working Party1 therefore tries to clarify the legal framework that applies to this processing and to clarify the responsibilities of all parties involved in the app development and commercialization process.

The Opinion identifies the most important data protection risks associated with mobile apps. It provides valuable guidance on inter alia the determination of applicable law. In this context, it is important to underline that the EU rules apply to any app targeted to app users within the EU, regardless of the location of the app developer or app store.

The Opinion underlines that privacy compliance should be implemented as from the development stage and by all parties involved. It is therefore advisable to inter alia contractually agree on the allocation of responsibilities, including the responsibility for technical and organizational security measures. The Opinion states that parties have to take into account the principles of privacy by design and privacy by default. This is clearly inspired by the obligations which will enter into force under the upcoming new EU Data Protection Regulation, discussed in our previous newsletters.

The Opinion provides examples of what constitutes personal data and sets out legal requirements for all parties involved.

Section 4 of the Opinion (“conclusions and recommendations”) is particularly interesting, as it provides for a separate list of obligations (under the current Data Protection Directive and the e-Privacy Directive) and recommendations for each party involved.

For instance, with respect to app developers, the Opinion states the following:

App developers must:

  • Be aware of, and comply with, their obligations as data controllers when they process personal data from and about users;
  • Be aware of, and comply with, their obligations as data controllers when they contract with data processors such as if they outsource the collection and processing of personal data to developers, programmers and for example cloud storage providers;
  • Ask for consent before the app starts to retrieve or place information on the device, i.e., before installation of the app. Such consent has to be freely given, specific and informed;
  • Ask for granular consent for each type of data the app will access; at least for the categories Location, Contacts, Unique Device Identifier, Identity of the data subject, Identity of the phone, Credit card and payment data, Telephony and SMS, Browsing history, Email, Social networks credentials and Biometrics;
  • Be aware that consent does not legitimize excessive or disproportionate data processing;
  • Provide well-defined and comprehensible purposes of the data processing in advance to installation of the app, and not change these purposes without renewed consent; provide comprehensive information if the data will be used for third party purposes, such as advertising or analytics;
  • Allow users to revoke their consent and uninstall the app, and delete data where appropriate;
  • Respect the principle of data minimization and only collect those data that are strictly necessary to perform the desired functionality;
  • Take the necessary organizational and technical measures to ensure the protection of the personal data they process, at all stages of the design and implementation of the app (privacy by design);
  • Provide a single point of contact for the users of the app;
  • Provide a readable, understandable and easily accessible privacy policy, which at a minimum informs users about:
  1. who the app developers are (identity and contact details),
  2. what precise categories of personal data the app wants to collect and process,
  3. why the data processing is necessary (for what precise purposes),
  4. whether data will be disclosed to third parties (not just a generic but a specific description to whom the data will be disclosed),
  5. what rights users have in terms of withdrawal of consent and deletion of data;
  • Enable app users to exercise their rights of access, rectification, erasure and their right to object to data processing and inform them about the existence of these mechanisms;
  • Define a reasonable retention period for data collected with the app and predefine a period of inactivity after which the account will be treated as expired;
  • With regard to apps aimed at children: pay attention to the age limit defining children or minors in national legislation, choose the most restrictive data processing approach in full respect of the principles of data minimization and purpose limitation, refrain from processing children’s data for behavioral advertising purposes, either directly or indirectly and refrain from collecting data through the children about their relatives and/or friends.

The Working Party recommends that app developers:

  • Study the relevant guidelines with regard to specific security risks and measures;
  • Proactively inform users about personal data breaches along the lines of the requirements of the ePrivacy Directive;
  • Inform users about their proportionality considerations for the types of data collected or accessed on the device, the retention periods of the data and the applied security measures;
  • Develop tools to enable users to customize retention periods for their personal data based on their specific preferences and contexts, rather than offering pre-defined retention terms;
  • Include information in their privacy policy dedicated to European users;
  • Develop and implement simple but secure online access tools for users, without collecting additional excessive personal data;
  • Together with the OS and device manufacturers and app stores use their creative talent to develop innovative solutions to adequately inform users on mobile devices, for example through a system of layered information notices combined with meaningful icons.

The full text of the Opinion can be found here.