Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, International/EU Privacy

European Regulators State that Non-EU Mobile Apps Must Comply with EU Privacy Laws

The European Union’s Article 29 Data Protection Working Party (“WP29“), which consists of the 27 data protection authorities of the European Union Member States, has published its “Opinion on Apps in Smart Devices“, adopted on 27 February 2013 (the “Opinion“).

Applicability of EU laws

According to WP29, the 1995 Data Protection Directive applies to all mobile applications (“apps”) available to European users regardless of where the application developer is located.  The WP29’s view is that because the mobile devices in which the apps reside are “instrumental in the processing of personal data from and about the user,” the devices become “processing equipment” triggering the application of EU data protection law.  This is so even where the data controller directing the processing (generally the app developer) is not established in the EU. WP29 notes that the so-called “cookie consent provisions” of the 2002 ePrivacy Directive (the “Cookie Rule”) also apply to apps downloaded by European users: users’ consent must be obtained prior to installing or accessing any information stored on their devices. In sum, EU law applies to any app downloaded by a European user.

The issue of consent

The Opinion states that two different kinds of consent must be obtained (albeit they can be obtained simultaneously): (i) consent to process data, as per the 1995 Directive; and (ii) consent to install and process data on a device in accordance with the Cookie Rule. Specific wording is therefore required to address both. The Opinion requires that users have freedom to say no, and WP29 notes that many apps do not currently provide users with the choice of saying ”no, thank you” to processing. The Opinion also says that consent must be granular (i.e., users should be able to grant consent for the processing of only certain categories of data while declining others). Apps should not ask users to consent to a laundry list of data collection practices contained in lengthy terms of use. Applying granular consent options can prove challenging in a mobile environment, but WP29 says that creative app developers should be able to solve this problem.

The obligation to inform users

The Opinion also addresses the insufficiency of information provided to users, including the lack of transparency regarding the exact purposes for which the information is being used (with operators often disregarding the principle of limiting processing to the purposes for which data was collected); the categories of data processed (data minimization being often ignored); and data retention terms.  The Opinion emphasizes that apps should provide notice before starting to process personal data and cites the U.S. Federal Trade Commission’s (FTC) staff report on mobile privacy disclosures in support of “just-in-time” notice. The Opinion also emphasizes clear and plain language and eschews the use of broad terms (e.g., citing to language that allows sharing for “product innovation”)

Security

The Opinion does not go into detail as to which security measures or procedures should be implemented but points to ENISA guidelines as a starting point. The Opinion underlines the need to carefully consider data storage locations, server architecture, user identification methods, etc. To that end, WP29 requires app developers to adopt a “privacy by design” approach.

Conclusions and recommendations

WP29 points out that many apps are not compliant with EU privacy rules. Apps often fail to request users’ users’ consent with a sufficient level of “granularity” regarding the categories of data processed, and only 61% of apps have privacy policies. WP29 also states that it shares the FTC’s concerns about apps that target children and states that apps should not process children’s data for behavioral advertising purposes.

WP29 makes several dozen recommendations, some of the most notable including:

  • For app developers: implement proactive data breach notifications; develop tools that allow users to customize the retention periods for their personal data; and include EU specific provisions in privacy policies.
  • For app stores: coordinate with app developers to create user control tools such as icons or symbols that inform users about how apps are collecting and generating data; implement “remote uninstall mechanisms” that allow users, developers, and stores to remove apps, including malicious apps, based on users’ informed consent; and inform developers about EU data protection laws prior to distributing apps in Europe.
  • For OS and device manufacturers: create user-friendly uninstall mechanisms so users may remove apps and request the deletion of relevant data; create tools that allow users to register their consent to data practices with a sufficient level of granularity concerning the categories of data processed and the purposes for which it will be used; and develop audit tools that allow users to identify the apps that have accessed their data.
  • For third parties: develop and implement online tools that enable users to obtain information about how their personal data is being processed by third parties.