Apps on Smart Devices: WP29 Opinion

The publication of the Article 29 Data Protection Working Party’s opinion “Apps on Smart Devices” (the “Opinion”) has provided clarification on the legal framework applicable to the processing of personal data on different smart, especially mobile, devices. The Opinion is a comprehensive guide and a must-read for all stakeholders in the apps “eco-system”. It analyses: the different parties’ various legal responsibilities; the consent requirement; the principles of purpose limitation and data minimisation; the need to take adequate security measures; the obligation to correctly inform end-users; and fair processing of data collected from and about children.

Background

The Article 29 Data Protection Working Party is an independent European advisory body on data protection and privacy set up under the Data Protection Directive (95/46/EC).

Its Opinion, adopted at the end of February 2013, deals with the increasing number of serious data protection risks for apps users. These risks have arisen due to the fragmented nature of the apps “eco-system”, the wide range of technical access possibilities to data stored in or generated by mobile devices and the lack of legal awareness amongst apps developers. These risks range from a lack of transparency and lack of awareness amongst app users to poor security measures, invalid consent mechanisms, a trend towards data maximisation and elasticity of data processing purposes.

The Opinion: an overview

The Opinion has sought to clarify the legal framework applicable to the processing of personal data in the development, distribution and usage of apps on smart devices. It has also considered further processing which might take place outside an app itself, such as using the collected data to build profiles and target users.

The Opinion identifies the key data protection risks and describes the different parties involved , including their various legal responsibilities, in terms of what they are legally obliged to do and what they are recommended to do as best practice. These stakeholders include:

• app developers;
• app owners;
• app stores;
• device and Operating System manufacturers; and
• other third parties that may be involved in the collection and processing of personal data from smart devices (such as analytics and advertising providers).

Furthermore, the Opinion has considered a number of other matters including: the consent requirement; the principles of purpose limitation and data minimisation; the need to take adequate security measures; the obligation to correctly inform end users of their rights; reasonable retention periods; and fair processing of data collected from and about children.

The Opinion: recommendations

Notable amongst the Opinion’s lists of recommendations and guidance are:

• At the very least, every app should have a readable, understandable and easily accessible privacy policy. Currently many apps do not meet this minimum transparency requirement. Apps which do not, or are not intended for the processing or personal data, should clearly state this within their privacy policy.
• App developers, and other data controllers in the mobile app ecosystem, must enable app users to exercise their rights of access, rectification, erasure and their right to object to data processing.
• Apps must clearly and visibly inform their users about the existence of access and correction mechanisms. The Opinion recommends the design and implementation of simple but secure online access tools.
• Users should always be provided with the possibility to withdraw their consent in a manner which is simple and not burdensome. It must be possible to un-install apps and thereby remove all personal data, also from the servers of the data controller(s).
• The Opinion reminds all information society services, such as apps, that the European data retention obligation (Directive 2006/24/EC) does not apply to them and therefore cannot be invoked as a legal ground to continue to process data about app users after they have deleted the app.

Hans Graux comments:

The key merit of the Opinion is that it makes a clear distinction between the various participants in the apps ecosystem, and recognises that data protection rules affect each of them in a different way. App creators , sellers and users would therefore do well to check their compliance with data protection rules on the basis of this Opinion.

For further information on this legal development please contact Hans Graux, lawyer at IT law firm time.lex.

This publication does not necessarily deal with every important topic or cover every aspect of the topics with which it deals and is not designed to provide legal or other advice.