The Article 29 Working Party gives its views on what stakeholders must do to comply with privacy laws and calls for greater cooperation between app developers, owners, stores, operating system and device manufacturers, and third parties who process personal data collected through apps.
What's the issue?
Where Apps on smart devices involve the use of personal data, the Data Protection Directive 1995 (95/46/EC) and the ePrivacy Directive (2202/58/EC) as revised by (2009/136/EC) will apply to apps used in the EEA. Due both to the way in which apps are developed, often by individuals or small companies with little knowledge of data protection requirements, and to what the WP refers to as the "degree of fragmentation between the many players in the app development landscape", many apps fail to comply with applicable law.
What's the development?
The WP has issued an Opinion which clarifies the legal framework applicable to the processing of personal data in the development, distribution and usage of apps on smart devices. It provides a handy list of requirements for the different parties involved as well as making a number of recommendations which should be taken to be best practice. While the Opinion is not binding, the WP is made up of national regulators who will be strongly guided by it when they apply the law in their own country.
What does this mean for you?
If you are an app developer, app owner, app store, operating system (OS) or device manufacturer or if you process personal data collected through apps or if you advise any of these parties, this is essential reading. Of particular interest are the WP's views on how to obtain valid consent from end users to the processing of personal data which focuses on granular consent i.e. separate consent for each type of personal data being processed.
The Data Protection Directive applies to all processing of personal data carried out in the context of an establishment of the controller on the territory of a Member State and to a controller not established within the EU but using equipment situated within the EU (the smart device in question will qualify as relevant equipment). Certain provisions of the ePrivacy Directive will apply to all parties who store or access information stored in the devices of users in the EEA.
The WP identifies key data protection risks to end users as "the lack of transparency and awareness of the types of processing an app may undertake combined with a lack of meaningful consent from end users before that processing takes place. Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment". These risks are compounded by the degree of fragmentation between the key players (i.e. developers, platforms, stores, operating systems and device manufacturers and third parties).
The WP acknowledges that app developers bear the brunt of data protection responsibilities. It says, however, that they need to collaborate with Operating System (OS) and device manufacturers, app stores and third parties (such as analytics providers) in order to achieve full compliance, especially in the areas of security standards and privacy by design or default.
The Opinion focuses heavily on consent requirements because Article 5(3) of the e-Privacy Directive provides that:
"the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing"
In addition, the principle legal justification for the initial processing of personal data from apps under the DPA, is likely to be consent. Consent to place any information on or read a user's device and consent for the processing of personal data are two separate consent requirements stemming from different legislation and consent for both must be sought and must be "free, specific and informed". The WP says both types of consent may be collected together provided the user is made "unambiguously aware" of what (s)he is consenting to. A 'click and install' mechanism is unlikely to satisfy consent requirements (although it may satisfy the e-Privacy Directive requirements) because insufficient information is given to the user who will not be able to give specific and informed consent on that basis.
The WP also says that for consent to be freely given, it must be capable of being withdrawn. The user should be free to accept or refuse the processing of personal data and the user should not be provided with a single 'accept' option in order to complete installation but should also have the option to stop or 'cancel' the installation of the app at this stage and delete data.
Consent should be sought before any data is processed. The WP recommends seeking 'granular consent' for each type of data the app will access rather than asking for a general consent. It says consent must be sought for each of "at least the categories of Location, Contacts, Unique Device Identifier, Identity of the data subject, Identity of the phone, Credit card and payment data, Telephone and SMS, Browsing history, Email, Social Networks credentials and Biometrics". Default settings should be used to prevent data processing or tracking without user consent.
Central to obtaining consent is the provision of information to the end user or data subject of at least:
- the identity of the data processor;
- the precise categories of data which will be collected and processed;
- the purposes for which data will be processed;
- whether the data will be disclosed to third parties; and
- how data subjects can exercise their rights in terms of withdrawal of consent and deletion of data.
This must be given prior to the collection of data via the app store to be legally valid and must also be accessible from within the app after installation. The information must be clear and precise. Giving "elastic" purposes such as marketing, is not sufficiently explicit to inform users. At the very least, every app should have: "a readable, understandable, easily accessible privacy policy".
Once appropriate consent has been obtained, app developers are reminded that they need to comply with the data protection principles and process data only for the purposes for which consent has been sought and to minimise data collected. The WP criticises the "alarming disregard" with which data from apps is distributed to third parties for "undefined or elastic purposes such as market research" and cautions against data being used for purposes unconnected with the functionality of the app. Information and user controls are considered to be key in ensuring that the principles of data minimisation and purpose limitation are complied with.
The WP does acknowledge that there are limitations to the amount of information which can be presented on a small screen and offers suggestions such as layered notices (e.g. initial notice containing links to further information), use of icons, images, video and audio and real time notifications.
In addition, apps must clearly and visibly inform users about their rights to rectify, erase or block personal data and provide them with clear and easily accessible mechanisms with which to exercise their rights. Users must be provided with the means with which to withdraw consent and delete data both during and after installation of the app.
The WP points to APIs (which give developers access to the underlying data on devices) as a possible means for standardising the way in which data is accessed and introducing privacy by design or by default. It urges all players to use their creativity to ensure privacy laws are complied with.
The WP also gives special consideration to the situation with children, reminding app developers and data controllers that children may not be able to give legally valid consent and even if they can give consent, that the data controller must consider the child's probably restricted level of understanding. Data controllers should not process children's data for Online Behavioural Advertising purposes and language used in apps directed at children should be appropriately clear.
In the conclusion to the Opinion which is worth reading in detail (pp27-30), the WP lists out what each relevant party needs to do to comply with data protection law. Possibly the most onerous of these is the concept of 'granular' consent i.e. consent for each type of data being processed.
The Opinion also sets out lists of 'recommendations' which are clearly optional but are to be regarded as best practice or desirable in future. The recommendations focus on developing tools to enable apps to give more sophisticated information to users and give them more options to tailor apps to their own preferences, for example, in relation to data retention, layered information provision and notices through "meaningful icons". In addition, app developers and OS device manufacturers are urged to develop ways to give users more information and allow audit trails so they can follow how data is used and to whom it is distributed. Online access tools are recommended to enable sophisticated user settings. In essence, the WP is calling for cooperation between the parties involved to ensure the law is complied with to the fullest extent.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
