The publication of the Article 29 Data Protection Working Party’s opinion “Apps on Smart Devices” (the “Opinion”) has provided clarification on the legal framework applicable to the processing of personal data on different smart, especially mobile, devices. The Opinion is a comprehensive guide and a must-read for all stakeholders in the apps “eco-system”. It analyses: the different parties’ various legal responsibilities; the consent requirement; the principles of purpose limitation and data minimisation; the need to take adequate security measures; the obligation to correctly inform end-users; and fair processing of data collected from and about children.
The Article 29 Data Protection Working Party is an independent European advisory body on data protection and privacy set up under the Data Protection Directive (95/46/EC).
Its Opinion, adopted at the end of February 2013, deals with the increasing number of serious data protection risks for apps users. These risks have arisen due to the fragmented nature of the apps “eco-system”, the wide range of technical access possibilities to data stored in or generated by mobile devices and the lack of legal awareness amongst apps developers. These risks range from a lack of transparency and lack of awareness amongst app users to poor security measures, invalid consent mechanisms, a trend towards data maximisation and elasticity of data processing purposes.
The Opinion has sought to clarify the legal framework applicable to the processing of personal data in the development, distribution and usage of apps on smart devices. It has also considered further processing which might take place outside an app itself, such as using the collected data to build profiles and target users.
The Opinion identifies the key data protection risks and describes the different parties involved , including their various legal responsibilities, in terms of what they are legally obliged to do and what they are recommended to do as best practice. These stakeholders include:
Furthermore, the Opinion has considered a number of other matters including: the consent requirement; the principles of purpose limitation and data minimisation; the need to take adequate security measures; the obligation to correctly inform end users of their rights; reasonable retention periods; and fair processing of data collected from and about children.
Notable amongst the Opinion’s lists of recommendations and guidance are:
Hans Graux comments:
The key merit of the Opinion is that it makes a clear distinction between the various participants in the apps ecosystem, and recognises that data protection rules affect each of them in a different way. App creators , sellers and users would therefore do well to check their compliance with data protection rules on the basis of this Opinion.
This publication does not necessarily deal with every important topic or cover every aspect of the topics with which it deals and is not designed to provide legal or other advice.