Topic: Privacy
Who: Article 29 Working Party (the “Working Party”)
When: 27 February 2013
Where: EU
Law stated as at: 2 April 2013
What happened:
The Working Party has adopted an opinion on apps on smart devices (the “Opinion” – http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/files/2013/wp202_en.pdf).
In the Opinion, the Working Party clarifies the legal framework regarding data protection issues in app development and distribution.
It also highlights the key data protection risks and discusses how they can be addressed.
The main European legislation regarding data privacy as it applies to apps is the Data Protection Directive 95/46/EC and the e-privacy Directive 2002/58/EC. Whilst established entities and players in
Europe may be well aware of their obligations under these Directives, the message from the Working Party appears to be that the key players in app development and distribution may be failing to meet the required standards of EU data privacy law.
Multiple players may drop data privacy ball
This may be the result of a lack of knowledge of EU data privacy law or simply the fragmented chain of players involved in bringing
an app to market. Key players such as app developers, operating system and device manufacturers and app stores can all contribute to minimising privacy risks as further described below.
The Working Party comments that it is for data controllers to ensure they are aware of their obligations and take responsibility for data privacy throughout the app development and distribution process.
In their dealings with third parties, data controllers should ensure their processing contracts provide for sufficient compliance with EU data privacy laws in all processing. The Working Party also suggests that in their dealings with data subjects, data controllers should ensure that their identity and contact details are clearly provided (a sole data controller contact is suggested by the Working Party for simplicity) so that data subjects can exercise their rights (e.g. subject access requests).
Privacy policies needed
The Opinion discusses the level of information provided to, and adequacy of consent obtained from, app users. It cites a recent study which alarmingly “reported that just 61.3% of the top 150 apps
provided a privacy policy”.
How can sufficient consent be obtained if users are not given any information about how and by whom their data will be used?
Clearly apps should include transparent and accessible privacy policies which inform users about the details of data processing and the data controller, amongst other requirements in order to obtain sufficiently informed consent.
The Opinion also criticizes app sign up processes which, once the app is downloaded, deal with consent by simply including a tick box indicating that the user accepts the terms and conditions.
This will not deliver the “free and informed” consent required so far as personal data is concerned. An option to “Cancel” or otherwise halt the app installation must be available.
Granular methods for obtaining consent
The Opinion also notes the wide range of data that apps use. Apps may involve the processing of location data, images and text stored in users phones, and even carry out data grabs of users’ address books.
The Working Party states that the use of such different types of data should be made transparent in privacy policies and methods of obtaining consent to such use should be granular.
This is to ensure that users have a real choice in specifying the data that they consent to being processed. Additionally, users should be given the opportunity to withdraw their consent, for example where a
new version of the app they download involves new data processing purposes.
Data minimisation key
Connected with this is the Working Party’s concern that adequate respect should be given to the principles of data minimisation and purpose limitation.
App developers should consider whether they actually require access to the data they obtain in order for the app to function, rather than simply carry out an indiscriminate data grab. Is location data required from a user at all times if that user only occasionally accesses an app which provides details on local amenities?
The Working Party also warns that consent does not legitimise excessive or disproportionate processing and advises that apps should “enable rectification, erasure or blocking of personal data if they are incomplete, inaccurate or processed unlawfully”.
A general theme in the Opinion is that there should be more transparency for app users on the processing of their data and their
choices. Each of the main players in the industry has an element of
responsibility with regard to minimising data privacy risks and the Opinion sets out requirements and recommendations for each of these. With a reported figure of “more than 1,600 new apps [being] added to app stores daily”, it is clear that these data privacy risks should be addressed.
Why this matters:
Apps are widely used as marketing tools and where marketers use data obtained through apps in their capacity as data controllers, they should be sure to meet their data privacy responsibilities.
Data controllers using apps should take account of the requirements and recommendations set out in the Opinion to increase their
compliance with the law. It is clear that data controllers in the app industry can take steps to ensure their direct actions reduce data privacy risks, and that they have sufficient agreements in place with data processors to reduce risks further down the chain.
