On 27 February 2013, the Article 29 Working Party (hereinafter “Article 29 WP”) adopted its newest Opinion WP 202 (hereinafter “Opinion”) regarding apps on smart devices. This article summarizes some of the most important statements and guidelines provided by the European data protection authorities.
First of all, the Opinion emphasizes that the Data Protection Directive (95/46/EC) and the ePrivacy Directive (2002/58/EC, as revised by 2009/136/EC) constitute the relevant EU legal framework for the processing of personal data via apps on smart devices and that both directives are imperative laws which cannot be excluded by contractual agreement.
Four main parties
Hereafter, the Opinion identifies four main parties which, depending on the purposes and means of the respective data processing activity, carry different responsibilities:
1. App developers
According to the Opinion, app developers decide the extent to which apps access and process personal data in the device and insofar have to be regarded as data controllers. Their responsibilities can be limited though, if no personal data are processed and/or made available outside the device.
2. OS and device manufacturers
Operating system (OS) and device manufacturers are considered as (joint) data controllers for personal data which are processed for the manufacturers’ purposes, such as the smooth running of the device or security issues.
3. App stores
App stores are likely to be regarded as data controllers for personal data of users (such as their name, address of financial data) that are processed, when the users are purchasing apps.
4. Third parties
There are various third parties involved in the processing of data through the use of apps, e. g. advertising networks or analytics providers. The Opinion distinguishes between two roles of third parties: one is to execute operations for the app owner. In that case, when acting exclusively on behalf of the app developer, the third party is likely to be operating as data processor. The second role is to collect information via apps and processing this information for own purposes. According to the Opinion, in that case the third party acts as data controller.
The Opinion then examines the legal grounds for handling data in connection with apps. It hereby distinguishes between two main stages of data processing:
1. Prior to installation
According to the Opinion, the user’s consent pursuant to Article 5 (3) of the ePrivacy Directive must be obtained, before information may be placed on and/or retrieved from the user’s device. The Opinion points out that this consent refers to any information on the device and has to be obeyed by every service offered “in the Community“, regardless of the location of the service provider.
In addition, if personal data (e. g. contacts in the address book or pictures) shall be processed before or during the installation of an app, it must also be ensured that the user gives his or her consent pursuant to Art. 2 lit h) of the directive 95/46/EC.
The Opinion points out that both consent requirements are simultaneously applicable and subject to the conditions of having to be free, specific and informed.
2. During usage of the app
When it comes to the usage of the app itself, the legal ground for the processing of personal data may change and either be based on consent or on other forms such as the necessity for the performance of a contract with the data subject (Article 7 lit b)) or the necessity for legitimate interests (Article 7 lit f) of the directive 95/46/EC).
Other topics covered by the Opinion
In addition to the above, the Opinion also examines other relevant topics regarding the processing of data through apps. This includes an analysis of the fundamental principles of purpose limitation and data minimisation, a review of the security requirements and information obligations and a discussion on the data subject’s rights, the retention periods and the specific safeguards that must taken for the protection of children.
Guidelines and information
At the end, the Opinion provides various conclusions and recommendations for each main party. The most important ones are the following:
App Developers must
- Ask for consent before the app starts to retrieve or place information;
- Ask for granular consent for each type of data the app will access and allow users to revoke their consent;
- Be aware that consent does not legitimise excessive or disproportionate data processing;
OS and device manufacturers must
- Update their APIs (application programming interface) and store rules to offer users sufficient control to exercise valid consent over the data processed by apps;
- Implement consent collection mechanisms in their OS at the first launch of the app or the first time the app attempts to access personal data;
- Employ privacy by design principles and ensure the default settings of pre-installed apps are compliant with European data protection law;
- Provide (by default) user-friendly and effective means to avoid being tracked by third parties;
- Ensure the availability of appropriate mechanisms to inform and educate the end user before the app installation.
App stores must
- Comply with their obligations as data controllers when they process personal data;
- Enforce the information obligation of the app developer, including the types of data the app is able to access and for what purposes;
- Provide detailed information on the app submission checks they perform.
Third parties must
- Comply with the consent requirement determined in Article 5 (3) of the ePrivacy Directive when they read or write data on mobile devices;
- Not circumvent any mechanism designed to avoid tracking;
- When acting as advertising parties, avoid delivering ads outside the context of the app.
Of course this overview can only draw the attention to some of the relevant statements, which the Article 29 WP issued in the Opinion. From a practical point of view, one has to keep in mind that the national authorities generally conform to these European inputs and adopt them within their own field of activity.