European privacy watchdogs have published an opinion addressing the key data protection risks of mobile apps. The document clarifies the EU legal framework applicable to the processing of personal data in apps on smart devices and outlines several obligations in developing and distributing mobile apps.
Lack of transparency and data maximisation
The key data protection risks to end users in using mobile apps are the lack of transparency and awareness of the types of processing an app may undertake, combined with a lack of meaningful consent from end users before that processing takes place. Once downloaded, mobile apps are able to collect large quantities of personal data from the users’ device, for example by having access to the photo album or using location data.
Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment.
It is therefore crucial that all parties involved in the development and distribution of apps be aware of data protection requirements, warn privacy watchdogs, not only to be in line with EU data protection legislation, but also not to create significant risks to the private life and reputation of users of smart devices.
Specific obligations of developing and distributing apps, special focus on children
In the published Opinion 02/2013 on apps on smart devices EU data protection authorities have consequently detailed the specific obligations app developers, app stores, advertising providers and Operating System and device manufacturers have in developing and distributing mobile apps.
The opinion focuses on the consent requirement and the principles of purpose limitation and data minimisation.
Mobile apps must, in order to be in line with European data protection law, ask for freely given, specific and informed consent of end users before the app is installed. This consent does not legitimise excessive or disproportionate data processing, and the purpose of data processing must be well defined and comprehensible, and cannot be changed without renewed consent.
Among other apps must also collect only data strictly necessary to perform the desired functionality, provide information if the data will be used for third party purposes, such as advertising, and define a reasonable retention period for data collected.
With regard to apps aimed at children, EU data protection authorities warn that mobile apps must pay attention to the age limit defining children or minors in national legislation, choose the most restrictive data processing approach, refrain from processing children’s data for behavioural advertising purposes, and refrain from collecting data through the children about their relatives and/or friends.
Read this article in Slovene