By Dan Cooper and Philippe Bradley
This week the Article 29 Working Party released its Opinion 2/2013 on apps on smart devices (WP 202), a 30-page report on mobile app privacy and data protection considerations. This development follows on the Working Party’s Statement on the draft General Data Protection Regulation on 27 February 2013 (which we previously discussed here).
The report sets out several sets of prescriptive, but non-binding, recommendations that target app developers, app stores, OS and device manufacturers, and other third party participants in app ecosystems, such as advertisers and network operators that bundle apps with devices.
This short post sets out a summary of some of the report’s less conventional prescriptions and recommendations, which could present participants in the European digital/mobile ecosystem with significant compliance challenges.
Of particular concern to app developers targeting the European marketplace will be its recommendations that app makers must ensure that:
- new user consent to data collection must be specific, informed and granular – and the precise purpose of the collection must be set out in “well-defined” and “comprehensible” terms, and in the case of third party purposes such as analytics and advertising, “comprehensive”;
- any deviation from the specified purposes in new versions of an app must be subject to renewed user consent;
- third parties with whom data will be shared must be specifically, not generically, described;
- developers must adopt a ‘privacy by design’ approach to internal planning, development and QA processes;
- apps must only collect data that is strictly necessary to perform the desired functionality;
- users must be allowed to access, rectify, erase and object to data processing, and be informed of those mechanisms;
- apps must only retain data for a “reasonable retention period”, and accounts should expire after a predefined inactivity period, following which a user should be given an opportunity to retrieve their data, which must otherwise be deleted or irreversibly anonymised (and on the back of this prescription, they recommend that users be given tools to alter the length of these periods); and
- when dealing with under-age users, app developers must exercise particular care and adherence to the data minimisation principle, and refrain from processing their data for behavioural advertising purposes.
The Working Party considers that app stores must enforce app makers’ obligations to fully inform potential users prior to their installation of the app, and must publish detailed information on the data protection checks they perform when an app is submitted for distribution through the store.
OS and device manufacturers
The report also places a burden upon on OS and device manufacturers to:
- employ “privacy by design” principles, and prevent secret monitoring of users;
- ensure that an app’s default settings render it compliant with EU data protection law;
- offer developers granular, not wholesale, access to data, sensors and services; and
- provide effective means to avoid tracking by third parties – and this protection must be enabled by default.
The report recommends that they put in place APIs to allow users to send data deletion requests to local or remote user data stores.
The Working Party goes on to state that third parties must, for example:
- refrain from circumventing privacy measures such as “Do Not Track” browser tools; and
- specifically avoid delivering ads outside the context of the app – so must not, for example, place icons on mobile desktops or redirect browser home pages.
Network operators and other telcos, if they bundle apps with the devices they distribute with contracts or sell through their stores, must obtain valid consent from users for those pre-installed apps. They must also “take on board relevant responsibilities when contributing to determining certain features of the device and of the OS, e.g. when limiting the user’s access to certain configuration parameters or filtering fix releases (security and functional ones) provided by the device and OS manufacturers”, hinting that the Working Party has reservations at the practice of withholding certain OS updates from older phones.
App makers are left in a difficult position. On the one hand, implementation of these features, such as discarding data after predefined retention periods, could be technically challenging; they will at the very least add to codebase and QA complexity, and will be difficult to implement without creating a less straightforward user experience. The report also makes it clear that developers must audit and understand the functionality of any third party software libraries that they rely upon, to fully ensure that all gathering and processing of user data by their app will be compliant with EU law.
On the other hand, this detailed report is a sure sign that data protection and privacy regulators are becoming more experienced in the domain, more certain in their expectations, and more precise with the standards they are seeking to impose – the risks and costs of noncompliance may well be on the rise.