Privacy & Information Security Law Blog

On February 27, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) addressing personal data protection issues related to the development and use of applications on mobile devices. The Opinion identifies the key data protection risks associated with mobile apps and clarifies the legal framework and obligations applicable to the various parties involved in the development and distribution of mobile apps, including app stores, app developers, operating system and device manufacturers and advertisers.

The Opinion first notes that, because smart phone and tablet users typically store a considerable amount of personal data (e.g., location information, banking details, photos, videos) on their devices, applications running on such devices may access personal data without the user’s consent. The Opinion discusses app-related security risks that could potentially cause personal data breaches, and the fact that apps may be used in ways that disregard the principles of purpose limitation and data minimization. Disregarding those principles may, in turn, result in excess data being collected and disclosed to third parties for unspecified purposes, like “market research.”

The relevant legal framework applicable to the processing of personal data through apps is EU Data Protection Directive 95/46/EC (the “Data Protection Directive”). In addition, the specific consent requirement contained in Article 5(3) of e-Privacy Directive 2002/58/EC (the “e-Privacy Directive”) applies to the storing or accessing of any information (not only personal data) on mobile devices. The Working Party stresses that both directives apply to mobile apps used by individuals located in the European Economic Area, regardless of the location of the entity accessing data through the app. The Working Party further warns that European privacy law requirements cannot be waived by a unilateral declaration or a contract provision.

The Opinion provides key recommendations for mobile app compliance with the Data Protection Directive and the e-Privacy Directive, with a focus on ensuring (1) that device users are adequately informed of the ways in which the information on their mobile device can be accessed and used through apps; (2) that device users are in control of such access and use and (3) that adequate security measures are put in place to protect data collected and used by apps. Although most of the recommendations are aimed at app developers, other players in the app market may be subject to the same data protection responsibilities. The following are some of the key recommendations from the Opinion:

• App developers should include information directed to users in the EU in mobile app privacy policies.
• App developers should work with operating system and device manufacturers and app stores to determine how best to provide adequate information to mobile device users about issues like data breaches.
• Operating system and device manufacturers should facilitate the implementation of icons to alert users about the different ways in which apps use their data.
• App developers should create tools that enable users to customize retention periods for their personal data.
• Operating system and device manufacturers should enable users to uninstall apps and ensure all user data is deleted.
• Operating system and device manufacturers should facilitate regular security updates.
• App developers should take into account the relevant guidelines with regard to specific security risks and measures.