On February 27, 2013, the European Article 29 Working Party (a group comprising representatives from all of the data protection authorities of the EU Member States, referred to in this articles as “WP29”) issued an Opinion on the privacy and data protection implications of the use of apps on mobile devices (“the Opinion”). The Opinion primarily targets app developers, but provides recommendations for all players in the app ecosystem, including operating system (“OS”) developers and device manufacturers, app owners, app stores, and other third parties such as analytics and advertising providers. The Opinion sets out “musts” and “recommendations” for each player and is to some extent consistent with the U.S. Federal Trade Commission’s staff report on Mobile Privacy Disclosures (February 2012).
The Opinion considers the key data protection risks of apps to be a lack of transparency and a lack of the ability to provide meaningful consent. The Opinion recognizes that the ‘real-estate’ on a mobile device is limited because of limited screen sizes, but nonetheless states that users should be appropriately and adequately informed about how their personal information is used, and—where required—that users’ consent should be obtained
Scope and Applicable Law
The Opinion states that mobile apps are covered by both the Data Protection Directive 95/46/EC and the ePrivacy Directive 2009/136. Most data processed via apps is personal data, including unique device identifiers, user IDs, browsing history, contact data, phone calls, SMS, pictures and videos. Any player in the app ecosystem, regardless of its location, must comply with EU/EEA laws if it targets individuals resident in the EU/EEA. However, non-EU/EEA controllers are exempt where data is only processed in the device itself without generating traffic to the applicable data controller(s). Importantly, the user’s acceptance of terms of use or a contractual agreement will not exclude the applicability of EU law and the data controller’s or processor’s obligation to comply. Accordingly, app stores must “warn” app developers about EU/EEA obligations before submitting and making the app available to EU/EEA residents, and reject apps that do not comply.
Notice
The Opinion emphasizes the need to provide comprehensive, easy-to-understand, and timely notice. Notice must be provided “at the point when it matters to consumers, just prior to collection of such information by apps.” In practice, this will mean prior to installation of the app. This notice requirement not only applies to app developers but also to app stores and any OS or device manufacturers who provide pre-installed apps.
Notices should at least contain information about:
- The entity that is legally responsible for the processing of the data, and how that entity can be contacted. Where there are multiple entities involved, apps should provide for a single point of contact.
- The categories of personal information that will be processed through the app, in particular where such categories are not intuitively obvious.
- The purposes for which information is processed. WP29 notes that such purposes should be described narrowly and specifically, and warns for “purpose-elasticity.”
- Whether or not information data will be shared with third parties.
The Opinion further states that “the essential scope of the processing must be available to the users before app installation via the app store. The relevant information about the data processing must also be available from within the app, after installation.” In practice, this will mean that both app developers and app stores carry the biggest burden of ensuring adequate notification, both prior to and after installation. WP29 favors a layered approach that provides essential information in an initial notice and further information via (links to) a complete privacy policy. The Opinion also suggests the development of industry-wide visual logos, icons or images.
Consent
Consent is required for any processing of data via apps. The Opinion states that the two different consent regimes overlap: Under Article 5(3) of the ePrivacy Directive, consent is required to access or store any information on a user’s device; and under the Data Protection Directive, consent is required to process personal data. In practice, a single consent can be obtained for both types of processing. Consent should be “granular” and simply clicking an “install” button would not suffice. In order for consent to be valid, it needs to be freely given, specific and informed (which places additional importance on the quality and scope of the notice). Other legal bases may be used for processing at a later stage (during use of the app) but only by app developers.
Children
The Opinion also calls for extra attention to applicable national age requirements. Many national privacy laws in EU Member States require parental consent for minors of certain ages. In addition, even when consent can be legally obtained from a minor and the app is intended to be used by a minor, developers should be particularly mindful of the minor’s potentially limited understanding of, and attention for, information about data processing. Developers and app stores should adapt their notices and data processing practices accordingly. WP29 further notes that children’s data should never, whether directly or indirectly, be used for behavioral advertising purposes, as this will fall outside the scope of a child’s understanding.
Security and Retention
App developers should pay specific attention to the security of their apps, and implement security considerations at the design stage of the app. They should also carefully consider where data will be stored (locally on the device or remotely), and not use persistent (device-specific) identifiers, but instead use app-specific or temporary device identifiers to avoid tracking users over time.
Also, app developers must consider appropriate retention periods for the personal information they collect, taking into account that users may lose their devices or switch devices. App developers are recommended to implement procedures that will treat accounts as expired after defined periods of inactivity.
Different Players
Although the Opinion references app developers in many of its requirements and recommendations, WP29 acknowledges that responsibilities are shared between different players. The Opinion states that every app should provide a single point of contact for users, “taking responsibility for all the data processing that takes place via the app.” The Opinion provides the following recommendations:
- App stores are usually data controllers, in particular when they facilitate upfront payments for apps, support in-app purchases and require user registration. App stores should: (i) collaborate with OS and device manufacturers in developing user control tools (such as symbols representing access to data) and display them in the app store; (ii) implement checks in their admissions policy to eliminate malicious apps before making them available in the store (and provide detailed information on such submission checks to users); (iii) implement a privacy-friendly remote uninstall mechanism based on notice and consent; (iv) collaborate with app developers to proactively inform users about data security breaches; and (v) consider the use of public reputation mechanisms whereby users rate apps not only on their popularity but also on privacy and security.
- OS and device manufacturers are usually the data controllers (or joint controllers) when they process data for their own purposes, for example for smooth running of the device, security, back-ups or remote facility location. OS and device manufacturers should: (i) develop technical mechanisms and interfaces that offer sufficient user control, in particular via built-in consent mechanisms at the first launch of the app or the first time an app attempts to access data that has a significant impact on privacy (this also applies to pre-installed apps); (ii) ensure that the app developer implements sufficiently granular control and can access only the data necessary for the functioning of the app; (iii) ensure that the user can block the access to the data and uninstall the app in a simple manner; (iv) implement mechanisms to inform users about what the app does, what data the app can access, and provide settings to change parameters of processing (OS and device manufacturers share this responsibility with app stores); (v) develop clear audit trails into the devices, such that end users can see which apps have been accessing which data on their devices; (vi) prevent covert monitoring of users and put in place a mechanism to avoid online tracking by advertisers and other third parties (in particular, default settings must be “such as to avoid any tracking”); and (vii) ensure security by strengthening authentication mechanisms, enabling strong encryption mechanisms, and providing security updates.
- Ad providers, analytics providers and communications service providers act as data processors where they execute operations for app owners such as analytics, provided they do not process data for their own purposes or share data across app developers. In this context, such third parties have limited obligations, mostly related to data security. However, third parties are data controllers where they collect or share data across apps, provide additional services, or provide analytics figures “at a larger scale,” such as for app popularity and personalized recommendation. In such cases, third parties should: (i) obtain consent for behavioral or targeted advertising, as well as accessing or storing any information on the device; and (ii) apply security requirements, in particular secure data transmission and encrypted storage of unique device and app identifiers and other personal data. Where communications service providers issue branded devices, they must ensure that consent is obtained for any pre-installed apps. Ad providers must not deliver ads outside the context of the app, such as by delivering ads through modified browser settings or placing icons on the mobile desktop. Advertisers should further refrain from using unique device or subscriber IDs for tracking purposes.