Who: German Data Protection Authorities (“Düsseldorfer Kreis”)
When: 16 June 2014
Where: Germany
Law stated as at: 14 July 2014
What happened:
In a joint effort, all German Data Protection Authorities (“DPAs”) have published long awaited guidelines, calling upon app developers to comply with German data protection law and to develop privacy-friendly apps. The guidelines set out the legal and technical framework that developers of mobile apps have to comply with.
Already over the past two years, German DPAs – led by the Bavarian DPA – have conducted “app sweep days” and examined apps with regard to their legal compliance. So far, however, there was only marginal enforcement – something that will change in the near future as the DPAs made unmistakably clear in their press release.
App sweep findings
In the course of their recent app sweeps, the DPAs found that the information provided to users about the collection and use of their data was generally insufficient. Most apps in the German and European app stores lack clear and transparent information about which data is collected, accessed and processed via the app and for which purposes such data is used.
The DPAs concluded that these shortcomings mainly result from the fact that a lot of app developers simply don’t have the necessary knowledge or awareness. Against this background, the DPAs have now published the guidelines in order to support and inform app developers and other market participants about the main legal and technical requirements.
“Privacy by design” leitmotiv
The guidelines complement the EU Art. 29 Working Party’s paper on mobile apps of 2013, but provide more practical advice. As a general rule, the German DPAs regard the principle of “Privacy by Design” (or privacy by default) as their leitmotiv, i.e. the duty for app developers to build their apps with privacy in mind from the outset. The paper is primarily targeted at app providers (i.e. the companies making the app available via the app stores) as the parties mainly responsible for the data collection and processing via an app, while making it clear that also other parties, including the app stores, bear a certain responsibility under data privacy laws.
In a nutshell and amongst many other points, the guidelines require app developers to comply with the following:
- during the development process app developers must ensure that only such personal user data is collected and processed as is absolutely necessary for the performance of the app;
- users have to be informed about the type, scope and objective of the collection, the processing and the use-cases of their personal data in a comprehensible manner. In this context, the DPAs require an app-specific privacy policy – ideally integrated into the product page in the respective app store (and before the use of the app starts at the latest) so that users can take notice before the download;
- it is insufficient to use a privacy policy designed for a similar web service, i.e. the privacy policy must be app-specific and must specifically address the data collection and use via the app. For instance, any collection of data via the various sensors of a mobile device must be disclosed, like the camera, microphone, etc;
- the privacy policy must be integrated into the app and must be easily accessible from within the app. The same applies to the app developer’s contact details;
- the guidelines provide useful guidance on how valid user consent can be obtained – something which is often an issue in practice;
- specific requirements apply to location data. Location data is regarded as particularly sensitive by the regulators. Thus, the guidelines require not only transparency but also require the app developer to reduce the granularity of the data to the extent possible;
- similarly, with regard to health data, banking data and other, especially confidential personal data, including data of minors, stricter rules apply; and
- finally, the guidelines set forth a number of technical safeguards that app developers are required to implement (again: privacy by design), including sufficient server backend encryption, secure password requirements, etc.
Why this matters:
The guidelines are a must read for every app developer making apps available in Germany and throughout Europe. Although little in the document is really surprising, the guidance is the first useful and comprehensive overview of the challenges posed by German and EU privacy laws to all those who develop and market apps. The most important message, however, is the following: The formerly existing ceasefire is over and German DPAs and likely also other EU data protection authorities will now get down to business with non-compliant apps.
Non-compliance with the guidelines might lead to administrative fines of up to EUR 300,000.00 and the considerable brand damage that such enforcement action is likely to cause. It is to be expected that the German DPAs will make avid use of their right to enforce data privacy compliance and to impose administrative fines in a much stricter way from now on. Thus, the actual risk of non-compliance with data privacy laws will dramatically increase. This is a good moment for all app developers to take a close look at their own apps and make sure they are compliant.
The guidelines of the German DPAs are available in German language here.