A recent opinion from the Article 29 Working Party (a group made up of officials from the data protection authorities in various EU countries) highlights privacy risks for users who download smartphone apps. The opinion provides guidance to the multiple players in the app development world on best practice to ensure data protection compliance, with a particular emphasis on valid consent mechanisms and the provision of clear and comprehensive privacy notices.
The Working Party has identified a number of key risks:
Lack of transparency
Lack of free and informed consent
Poor security measures
Disregard for the principle of purpose limitation (i.e. ensuring that personal data is only processed for specified and legitimate purposes)
Fragmentation between the multiple players in the app development world
The Working Party is particularly concerned about lack of transparency about the amount of data that is accessed through apps and lack of free and informed consent by users in relation to the use of such data. Where information stored on a smart device is accessed through an app it is a legal requirement under the E-Privacy Directive (implemented in the UK through the Privacy and Electronic Communications Regulations) to obtain consent to such access and to provide clear and comprehensive information to users about the purposes for which the information will be used.
However, notwithstanding this legal obligation, users typically install apps with little awareness of the way in which they work, including the fact that apps often access and collect a vast amount of personal data, such as names and contact details in address books, location data relating to the device user, browsing history and credit card and payment data. The Working Party identifies a fundamental lack of transparency to users of apps at the point when the app is installed. Although users are likely to have provided some form of confirmation that they are happy for installation of an app to proceed based on a set of terms and conditions, the Working Party does not consider that this will constitute "free, specific and informed", i.e. valid, consent.
The Working Party advocates a move towards providing users with detailed information about the purposes for which personal information will be used, any third parties to whom the personal data will be provided, and how the users may exercise their rights to withdraw their consent to such use of their data. This information should be made available to users before the app is downloaded. The Working Party also endorses an approach to consent by which the user should be given the option of providing specific consent for each type of data which the app will access. Specific examples of what the Working Party considers will/will not constitute valid consent are included in the opinion.
The provision of information and gathering of consent is made more complicated by the fact that there can often be multiple data controllers in relation to data captured through a single app. The Working Party identifies four main parties involved in the development, distribution and operation of apps, namely app developers, manufacturers of operation systems and devices, app stores and third parties such as advertising networks. Each of these parties could be a data controller in its own right, depending on the extent to which they access data and use it for their own purposes, and will therefore be responsible for ensuring that appropriate privacy notices are provided to app users and that appropriate consent to access data held on smart devices has been obtained.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at April 2013. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.