Smart devices are increasingly central to our day-to-day lives. Data subjects are routinely using them for an extraordinary range of activities — from audio and video calls, to checking everything from bank balances to social media networks, not to mention browsing and accessing digital content libraries. Such uses are most commonly undertaken using 'apps' — software applications designed for a specific task, targeted at a particular set of smart devices, which organise information in a way suitable for the specific characteristics of the device. These apps are able to collect large quantities of data from smart devices (such as geolocation data and data stored on the device by the user, such as contacts and addresses) and process these data in order to provide new and innovative services to the end user.

There are a broad range of players involved in processing such data. The cast includes app developers, operating system providers and advertising networks. Inevitably, this explosion of data processing raises a myriad of privacy questions: what data are being shared, with what third parties and why? How often are data being accessed and, once accessed, how are they further used/shared? What can data subjects do to control how their data are used? This article considers these questions, drawing from recent guidance from the Article 29 Working Party on mobile applications on smart devices, and from the US Federal Trade Commission's guidance on 'Mobile Privacy Disclosures'.

Background

The Article 29 Working Party Opinion on mobile applications on smart devices (the 'Opinion' — copy available at: www.pdp.ie/docs/10024), dated 27th February 2013, emerges in the context of mobile phone apps accessing, processing and transferring ever more user data. Simultaneously with the increased data processing, users of such apps appear to be increasingly yielding in their ability to monitor or control such data access. For example, earlier this year the French National Commission on Computing and Liberty ('CNIL') undertook an analysis of the data processing activities of 189 apps on six iPhones, and found that one in 12 of the apps accessed the address book on the iPhone, and almost one in three accessed location information.

Need for guidance

Working Party Chairman, Jacob Kohnstamm, has suggested that the processing of data on mobile apps 'often happens without the free and informed consent of users, resulting in a breach of European data protection law'. With this in mind, the stated objective of the Opinion is to clarify the legal framework applicable to the processing of personal data in the distribution and usage of apps on smart devices, and to consider further processing which might take place outside of the app, such as using the collected data to build profiles and target users.

The Opinion analyses the key data protection risks, provides a description of the different parties involved, and highlights the various legal responsibilities. In this regard, the Working Party has highlighted certain categories of personal data that most threateningly impact data privacy. Most notably amongst these are location, contacts and unique device identifiers. The Working Party focuses its analysis in particular on the requirement for consent and the key data protection principles of the Data Protection Directive (95/46/EC) ('the Directive') of purpose limitation, transparency, fair processing, security and data minimisation.

The Opinion highlights the risks associated with apps as centring on lack of awareness of users, lack of transparency (often arising from invalid consent mechanisms), inadequate security measures and 'a trend towards data maximisation and elasticity of data processing purposes', caused by a fragmented app landscape, the broad range of technical access opportunities and a lack of legal awareness among the key contributors to the app environment.

The Opinion makes (non-binding) recommendations for each participant in the app development and distribution ecosystem (this ecosystem consisting of the app developers, the app stores, the operating system ('OS') and device manufacturers, as well as third parties such as advertising networks or analytics advisors).

The Opinion suggests that smart device users characteristically retain a substantial amount of personal data on their smart devices (including photos and videos, location data and contact/ address details) and that apps which are running on such devices may often access the user's personal data without the user's knowledge, understanding and/or consent. The Opinion suggests that this results in a disregard for the principles of purpose limitation and data minimisation which, in turn, leads to excess data being collected, processed and disclosed with a consequent increase in the risk arising from inappropriate data processing (for example, data breaches).

Legal context/framework

The Opinion recaps the legal framework applicable to data processing by mobile apps. The primary legal framework is the Directive, with the specific consent requirement for storing and retrieving information (notably not only personal data) on and from a device under Article 5(3) of the e-Privacy Directive (2002/58/EC) also being relevant.

Helpfully, the Opinion focuses on the application of these rules: the Working Party states that these rules apply to any app targeted at, or used by, app users located within the European Economic Area, regardless of the location of the entity accessing data through the app, and regardless of the location of the app developer or app store. The Working Party further notes that the foregoing legal requirements cannot be 'contracted out' or waived.

Recommendations

The Working Party analyses common processing circumstances and concludes that each participant will likely be a data controller at some point in the chain of processing (or a joint controller if there is an overlap of data protection responsibilities). The Opinion emphasises the app parties joint responsibility to collaborate in order to achieve high standards of data privacy. Turning to the allocation of responsibilities, app developers are expected to:

  • seek freely given, specific and informed consent before installation of the app;
  • obtain 'granular consent' for each specified category of data the app will access;
  • explain purposes of the data processing before installation of the app in a clearly defined fashion (and not alter these purposes without fresh consent);
  • provide an accessible, readable privacy policy, which explains disclosures and recipients; and
  • not process children's data for behavioural advertising purposes.

The Working Party further recommends that app developers employ a system of layered information notices and evocative icons.

The Opinion recommends app stores should:

  • provide information on the privacy assessments they make pre-app upload to their marketplace; and
  • enforce an obligation on app developers to inform users in plain, clear-cut language.

Device and OS manufacturers are advised by the Working Party to:

  • update their interfaces so that users can exercise control over how their data are processed;
  • introduce mechanisms for consent collection at the point of initial app use;
  • prevent secret monitoring of the user; and
  • provide effective default settings to avoid being tracked by advertisers.

The Working Party further recommends that OS and device manufacturers introduce clear audit trails such that users can clearly see which apps have been accessing data on their devices, plus the nature and level of outward-bound traffic per app.

Amongst the recommendations for third parties (such as advertisers) are that they:

  • comply with the consent requirement under the e-Privacy Directive;
  • employ anti-tracking mechanisms;
  • avoid presenting advertisements outside the context of the app; and
  • avoid processing children's data for behavioural advertising purposes.

Notice and consent

The Opinion states that consent will often be the sole legal basis available to justify the processing of personal data. In what will present operational challenges for app developers, the Opinion suggests this consent is to be obtained separately from the consent required for accessing the user's device under Article 5(3) of the e-Privacy Directive.

The requirement for consent to be given freely suggests that an 'install' button also will, by and large, be inadequate to constitute effective consent. Rather, the Opinion envisages a granular consent for each type of data the app intends to access.

The Opinion remarks that the constrained screen size of smart devices does not discharge the data controller's obligation to furnish adequate and complete notice about the use of personal data by the app. In this regard, the Opinion recommends a layered approach, such that users are provided with easily accessible and highly visible information regarding the key processing being undertaken on the smart device, with a link to more comprehensive information (for example, in a web-based privacy policy).

Comparison to FTC approach

Concurrently with the advent of the Working Party Opinion, federal regulators in the US are progressively more focused on mobile apps, with the Federal Trade Commission ('FTC') recently releasing (in February 2013) its recommendations for mobile privacy in the context of app usage (the 'Report' — copy available at www.pdp.ie/docs/10025). The Report should be viewed in the context of increased regulator action in this area, for example, the Californian Attorney General issuing proceedings in December 2012 against Delta Airlines, arising from an alleged failure by that airline to include a privacy notice on its app (although this case was subsequently dismissed by the Californian court).

In the Report, the FTC focuses on the means by which app developers and 'platform' providers can notify consumers of their privacy practices. As with the Opinion, the Report is not binding, but rather proposes best practices for transparent privacy notification. Much of the FTC report focuses on the platform providers (described as the 'gatekeepers to the app marketplace') and advocates that app platform providers:

  • offer a 'dashboard' that allows users to decide what apps can access what data;
  • employ icons to depict the transmission of user data; and
  • require (by contract) that app developers include privacy disclosures and affirmative consent before collecting sensitive information.

Observations

There is much overlap between the Opinion and Report (notwithstanding the differing data protection/data privacy traditions and systems between the EU and the US). For example, as with the Opinion, the Report provides that app developers should have a privacy policy, in the US context available through the platform's app store. Again the focus of both documents is on providing recommendations for steps the key players in the app ecosystem can take to render data usage clearer and easier to understand for the data subject/consumer. The FTC is perhaps more focused on consent and notification, especially prior to the accessing of content that consumers may regard as confidential or sensitive.

Taken together, the Opinion and the Report leave app developers (and others in the app ecosystem) with a clearer sense of what is required. However, many of the recommendations (for example, obtaining granular consent for each category of data the app will access) are far from straightforward to implement.

Both the Report and the Opinion signal that data privacy/data protection regulators in the US and the EU are increasingly focused (and knowledgeable) regarding mobile apps. This is likely to result in an expectation of greater compliance and a significant reputational (and potentially financial) cost for those app developers and app platforms that do not move quickly to introduce compliant practices.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.