The U.S. Federal Trade Commission isn’t the only regulatory authority to raise concerns over consumer privacy and data security with respect to mobile technologies. Less than a month ago, Article 29 Working Party, an advisory body set up under EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, adopted a comprehensive opinion addressing personal data protection issues related to the development and use of applications on mobile devices. The opinion is relevant to any app developer, app store, operating system and device manufacturer and advertiser that processes data on EU data subjects through mobile apps.
A first concern raised in the opinion is the potential for applications to access consumer data without prior consent. This concern arose from the vast amount of data being stored and processed on mobile phones, and the ease with which applications could take advantage of the “data fog” to collect bits and pieces of data. In addition, concerns were raised with respect to vulnerabilities of apps and the security risk they pose by facilitating data breaches.
The applicable legal framework to the processing of personal data through apps is the EU Data Protection Directive 95/46/EC. In addition, the specific consent requirement contained in Article 5(3) of e-Privacy Directive 2002/58/EC applies to the storing or accessing of any information (not only personal data) on mobile devices. The Working Party stresses that both directives apply to mobile apps used by individuals located in the European Economic Area, regardless of the location of the entity accessing data through the app. The Working Party further warns that European privacy law requirements cannot be waived by a unilateral declaration or a contract provision.
The Opinion provides key recommendations for mobile app compliance with the Data Protection Directive and the e-Privacy Directive, with a focus on ensuring (1) that device users are adequately informed of the ways in which the information on their mobile device can be accessed and used through apps; (2) that device users are in control of such access and use and (3) that adequate security measures are put in place to protect data collected and used by apps. Although most of the recommendations are aimed at app developers, other players in the app market may be subject to the same data protection responsibilities. The following are some of the key recommendations from the Opinion:
- App developers should include information directed to users in the EU in mobile app privacy policies.
- App developers should work with operating system and device manufacturers and app stores to determine how best to provide adequate information to mobile device users about issues like data breaches.
- Operating system and device manufacturers should facilitate the implementation of icons to alert users about the different ways in which apps use their data.
- App developers should create tools that enable users to customize retention periods for their personal data.
- Operating system and device manufacturers should enable users to uninstall apps and ensure all user data is deleted.
- Operating system and device manufacturers should facilitate regular security updates.
- App developers should take into account the relevant guidelines with regard to specific security risks and measures.
