In a formal opinion released publicly on March 14, the EU Article 29 Working party warned businesses in the mobile industry that they must comply with EU Data Protection laws, including the Data Protection Directive and Section 5(3) of the E-Privacy Law, if they target apps to EU users, regardless of where the businesses are located.
The Working Party believes that the amount of information, and in particular personal information, collected via mobile apps has been staggering. Given the high risk that such collection poses to EU data protection because of the potential transfer and disclosure of the information, the Working Party issued the opinion to clarify the EU legal framework applicable to the processing of personal data in the development, distribution, and usage of apps on smart devices. The opinion focuses on consent requirements, purpose limitation and data minimization, security measures, informing end users about their rights, reasonable retention periods, and fair processing of data collected from and about children.
The opinion sets out the detailed compliance steps that the Working Party believes are required under EU law, and also provides some additional, recommended steps to bolster privacy protections on mobile apps. These requirements and recommendations are broken down by entity and are aimed at app developers, app stores, device manufacturers, and third parties.
App Developers. The opinion states that app developers must:
- Ask for freely given, specific, and informed consent before retrieving or placing information on a device, i.e., before installation;
- Seek granular consent for each type of data the app will access, and at least for the categories location, contacts, device identifier, data subject identity, identity of the phone, payment data, telephony and SMS, browsing history, email, social networks credentials, and biometrics;
- Not engage in excessive processing;
- Explain the purposes for data processing and seek renewed consent if the purposes change;
- Allow users to revoke consent and uninstall the app, and delete data where appropriate;
- Provide a single point of contact for users;
- Create a readable and understandable privacy policy, including what rights users have to withdraw consent and delete data;
- Provide mechanisms for access, rectification, and deletion of information;
- Define a retention period and a time period after which an account will be treated as expired; and
- For apps aimed at children, pay attention to the age limit defining children in national legislation, choose the most restrictive data processing approach in full respect of the principles of data minimization and purpose limitation, refrain from processing children’s data for behavioral advertising purposes, and refrain from collecting data through children about others.
The Working Party also recommends that app developers: proactively inform users about personal data breaches; develop tools to enable users to customize retention periods based on their specific preferences and contexts; and include information in their privacy policy dedicated to European users.
App Stores. With respect to app stores, the opinion states that they must:
- Enforce the notice obligations of the app developer, including the types of data the app is able to access and for what purposes, as well as whether the data is shared with third parties;
- Give special attention to apps directed at children, and enforce the obligation to present the relevant information in a simple manner, in age specific language; and
- Provide detailed information on the app submission checks they actually perform, including those aimed to assess privacy and data protection issues.
The opinion also recommends that app stores do things such as collaborate with other players to develop icons and other tools to inform users about data usage, develop an uninstall mechanism, and warn app developers about EU law before offering an app for sale in the EU.
Device Manufacturers. The opinion states that device manufacturers must:
- Update their APIs, store rules, and user interfaces to allow users to exercise valid consent over the data processed by apps;
- Integrate consent mechanisms into their devices;
- Ensure that default settings of pre-installed apps are compliant with EU law;
- Provide security measures; and
- Provide settings that allow users to stop being tracked and make those settings the default.
The opinion recommends that device manufacturers enable users to uninstall apps and transmit a signal to the app developer to delete data; work to help develop granular consent mechanisms; and develop audit trails so that users can see which apps have been accessing what data.
Third Parties. The opinion requires third parties to:
- Comply with the consent requirements in the E-Privacy Directive;
- Not circumvent any mechanism designed to avoid tracking;
- Avoid delivering ads outside the context of an app, such as by modifying browser settings or placing icons on the mobile desktop;
- Refrain from the use of unique device or subscriber identifiers for the purpose of tracking; and
- Refrain from processing children’s data for behavioral advertising purposes.
The opinion recommends that third parties develop and implement online access tools for users and only collect and process data that are consistent with the context in which the data was provided.
Many are comparing the Art. 29 Working Party opinion with the staff report issued in February by the FTC urging the app industry to provide more transparency regarding their mobile collection and use practices. The opinion adds to the growing list of mobile app guidance/rules issued over the last year that companies involved in the mobile industry must consider in developing and rolling out their products.
