The Data Protection Commissioner published a press release on 14th March 2013 in respect of the opinion adopted by the European data protection authorities of the Article 29 Working Party in respect of the key data protection risks for mobile apps.
The Article 29 Working Party on the Protection of Individuals with regard to the processing of personal data is an independent advisory body on data protection and privacy which was set up under Article 29 of the Data Protection Directive 95/46/EC. Full details of how the Article Working Party operates is outlined in the following link.
A full copy of Opinion 02/2013 on apps on smart devices is available for download here. The opinion notes that whilst app developers wish to provide new and innovative services, the apps may have significant risks to the private life and reputation of users of smart devices if they do not comply with EU data protection law. In addition apps must provide sufficient information about what data they are processing before it takes place in order to obtain meaningful consent and the opinion further notes that poor security is another risk which could lead to unauthorised processing of personal data which increases the possibility of a data breach.
In its conclusion, Opinion 02/2013 sets out a series of recommendations in respect of the various parties involved in the development, distribution and technical capabilities of apps.
The opinion notes that most conclusions and recommendations are aimed at app developers in that they have the greatest control over the precise manner in which the processing is undertaken or information presented within the app. Amongst the many conclusions and recommendations are:
- App developers must be aware of and comply with their obligations as data controllers when they process data from and about users
- App developers must ask for consent before the app starts to retrieve or place information on the device i.e. before installation of the app.
- App developers must allow users to revoke their consent and uninstall the app and delete data where appropriate
- It is recommended that app developers inform users about their proportionality considerations for the types of data collected or accessed on the device, the retention periods of the data and the applied security measures.
- App stores must be aware of and comply with their obligations as data controllers and enforce the information obligation of the app developer.
- App stores must give special attention to apps directed at children to protect against unlawful processing of their data.
- It is recommended that app stores subject all apps to a public reputation mechanism and provide feedback channels to users to report privacy and/or security problems.
OS and Device Manufacturers
- Both parties must enable users to uninstall apps and provide a signal to the app developer to enable deletion of the relevant data user.
- Both parties must develop clear audit trails into the devices such that end users can clearly see which apps have been accessing data on their devices and the amounts of ongoing traffic per app, in relation to user-initiated traffic.
Third Parties must
- Be aware of and comply with their obligations as data controllers when they process personal data about users.
- Comply with the consent requirement under Article 5(3) of the ePrivacy Directive and not circumvent any mechanism to avoid tracking.
- It is recommended that third parties must develop and implement simple but secure online access tools for users without collecting additional excessive personal data and only collect and process data that are consistent with the context where the user provides the data.
The above is only a synopsis of the conclusions and recommendations reached by the Article 29 Working Party in Opinion 02/2013 and for those interested, the full opinion is linked above.