Apps on Smart Devices: Beware of Data Protection issues

The number of people using smart devices has increased dramatically over the past years and has become an extremely popular way of using internet. Such apps can place but also collect large quantities of data from the device on which they are downloaded.  European data protection authorities are increasingly concerned as to the effect of the use of such apps on private life and individual reputation.

These concerns have led to the adoption of an opinion on 27 February 2013 by the European data protection authorities (Article 29 Working Party), clarifying the legal framework and general principles applicable to the processing of personal data and highlighting the responsibilities of the different parties typically involved in data processing.

In light of this opinion aimed at app developers, app stores, OS and device manufacturers and third parties (such as advertising networks or analytics providers) we set out below an overview of practical steps which your business could take in order to comply with relevant Data Protection rules.

Legal basis

According to the Working Party, the Data Protection Directive 95/46/EC (the Directive) as well as article 5.3 of the e-Privacy Directive 2002/58/EC apply to any apps used by individuals in the European Economic Area (EEA), regardless of where the data processor itself is located. These legal provisions are mandatory, so they cannot be waived by contract or individual declaration.

The Directive requires a legal basis for the processing of personal data prior to installation or during usage of the app. In case of apps, the principal applicable legal ground is consent.

Consent

  • Consent must be freely given, informed, specific and capable of being revoked at any time
  • The user’s consent must be obtained before information may be placed and/or retrieved from the user’s device.
  • A granular authorisation should be obtained for every type of data processed.
  • Consent does not legitimise excessive or disproportionate data processing.

Purpose limitation and data minimisation

  • Data processors should clearly define the purposes for which data is processed and to collect only the data that is strictly necessary for the performance of those desired functionalities.
  • Data processors should not change such purposes without renewed consent.
  • The above implies that app developers must have a good overview of their business case before they start collecting personal data and must consistently inform users and operate appropriate controls over them.

Security measures

Once data is collected the law imposes a duty to put in place security measures to ensure protection of the personal data processed.

App developers should

  • choose with great care where data will be stored;
  • put measures in place to prevent accidental transfer of data;
  • put in place clear cut policies on how software are developed and distributed;
  • avoid complex codes; and
  • carefully consider methods of user identification.

Third parties

  • should for example secure transmissions or encrypt the data stored by the app;
  • must not circumvent any mechanism designed to avoid tracking.

Always have a privacy policy

You must provide a readable, understandable and easily accessible privacy policy.
The privacy policy must specify:

  • Your identity;
  • The precise categories of personal data you collect;
  • The purposes of such collection;
  • Whether the data will be disclosed to any third party;
  • How users may exercise their rights in terms of withdrawal of consent and deletion of data.

You should be able to show that you address any such instruction from the user to delete his/her data promptly and lawfully.  Your system should be able to demonstrate such behaviour.

The Working Party recommends the use of visual signifiers, icons or layered information notices in order to provide adequate information to apps’ users and specifies that the size of smart phone screen is no excuse for providing unclear information. In other words, apps must effectively adapt to the screen size.  Broadly speaking, the greater the degree of information given, the more likely it is that data processor will comply with the legislation.

App developers should, together with the OS and device manufacturers and app stores, use their creative talent to develop innovative solutions to adequately inform users on mobile devices.

Provide privacy menu settings

Throughout the process app users should be able to exercise their rights of access, rectification, erasure and their right to object to data processing.

  • Simple and secure online access tools where users can instantly check all the data being processed about them should be designed and implemented.
  • Users should be able easily to un-install apps and this should automatically lead to the deletion of the relevant personal data.
  • App developers should develop tools to enable users to customize their own retention period, as data should be retained for a strictly defined period.

Children & Apps

Take great care where the app is likely to be used by children and choose the most restrictive data processing approach. You should for example:

  • pay attention to the age limit defining children in national legislation;
  • limit the collection of information from children and specifically refrain from processing data for behavioural advertising purposes; and
  • you should not collect data relating to the child’s relatives or friends.

The Working Party emphasised that the protection of individuals’ rights requires cooperation between app developers, operating systems and device manufacturers. It is also important that end users should be able to have a single point of contact, in case they need to raise concerns about data protection.

The material contained in this article is provided for general purposes only and does not constitute legal or other professional advice. Appropriate legal advice should be sought for specific circumstances and before action is taken.

©  May 2013

Please contact:

Stuart Miller

DD +44 (0) 20 7553 9936

View profile »