Not 'Appy: European Regulators Flag Mobile App Data Protection Risks And Requirements

The European Union (EU) Article 29 Working Party the independent advisory body to the European Commission on data protection and privacy, published an Opinion on 27 February 2013 on the data protection risks and recommendations for those offering mobile applications to users in the EU.

The Opinion reflects the fact that apps have become increasingly popular in recent years, with a reported 1,600 new apps being added to app stores daily and with the average smart device users downloading 37 apps. Reams of personal data may be processed when users use a mobile app, from the personal data contained on the smart device on which the app is loaded and from the app itself (e.g. photos, contacts, location data, billing information, browsing history, email, SMS, call log etc.). Developers may be able to collect personal data continuously and seamlessly and access and write contact data, send email, SMS, record audio, use the camera and prevent the smart device from sleeping via mobile apps. However, despite apps processing significant volumes of personal data, the Working Party considers that many apps and app developers are not complying with EU data protection legislation, particularly rules on consent, transparency and security. Indeed, a study commissioned in June 2012 showed that only 61.3% of the top 150 apps had a privacy policy at all.

To that end, the Working Party has put forward a range of recommendations for each of the parties involved in the development and distribution of apps, from the app developers to the smart device and operating system (e.g. Android, Win8) manufacturers and the app stores.

You are an app developer based outside the EU, do you need to comply?

In a word, yes. A key finding of the Working Party is that the EU rules (currently Directive 95/46/EC as implemented by the 27 EU Member States' national laws) do apply to any app which is targeted at users within the EU, regardless of the location of the app developer or app store. This is because the Directive (and the national legislation implementing the Directive) bites where data controllers use "equipment" in the EU for the processing of personal data and, in the case of mobile apps, the smart device on which the app is installed and used is treated as the relevant "equipment" for processing personal data. Therefore a US app developer offering its app for sale/download to customers within the EU would need to comply with EU rules.

What are the key findings/recommendations?

• Clear information: the Working Party is concerned with the lack of information about data processing made available to users (e.g. the types of data processed, the purposes for processing and data retention periods). This should be made available in a clear and unambiguous format prior to installation of the app (e.g. in the app store) and apps/app developers should not alter the purposes or types of data collected without seeking further consent from the end-user. Essential information about data processing should also be contained within the app following installation, for example in a privacy policy. A layered or "granular" approach for data protection notices is preferable (e.g. several pop-up boxes allowing users to consent to processing of certain types of data but refusing others).
• Consent: when installing an app, certain information may placed on the device (e.g. "cookies" or similar tracking technology). Users should be given the choice to accept or refuse these and to accept or refuse the processing of their personal data, e.g. via a "Yes, I accept" option during installation of the app.
• Security: app developers, app stores, operating system and device manufacturers and third parties should ensure that they have appropriate organisational and technical measures to ensure the security of the data they process. They should adopt a "privacy by design" and "by default" approach.
• Outsourcing arrangements/arrangements with third parties: app developers may outsource some or all of their data processing activities to a third party (e.g. external data storage provider, customer service provider, analytics providers etc.). Data controllers must ensure that the third party complies with applicable EU rules when it processes data on their behalf, for example via a data processing agreement.
• Children: the Working Party appreciates that certain apps are designed for and target children specifically. However, app developers and other data controllers should pay attention to national age limits for processing personal data without parental consent (this may vary between 12 and 18 depending on the EU Member State) and consider the child's level of understanding of d processing. Where relevant, parental consent to processing should be obtained.

The Opinion offers some useful guidance for all the relevant players involved in app development and distribution, in particular the need to provide clear and unambiguous information about data processing up front (on the app store and in app) and to ask for consents prior to installation, but perhaps of most interest is the confirmation that non-EU apps must comply with the EU rules where they are installed/used by users in the EU. The Opinion also refers specifically to the new concepts of "privacy by default" and "by design" which were introduced by the draft data protection Regulation (which will, if and when adopted, replace Direct 95/46/EC), and which would broadly require app developers to build in compliance with the EU data protection law by design, rather than tacked on as an afterthought.

© Arnold & Porter Kaye Scholer LLP 2013 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.