EU DPAs on mobile apps: More transparency required

The EU Data Protection Authorities (DPAs) say that in most cases, data controllers’ will have to rely on individuals’ consent as a legal basis for the processing of their personal data, and that consent needs to be obtained before the app starts to retrieve or place information. In addition, individuals must have the opportunity, when uninstalling apps, to have their personal data deleted where possible.

The EU Article 29 Data Protection Working Party’s opinion, published on 15 March, provides key recommendations for mobile app developers, app owners, app stores, device and Operating System manufacturers and other parties on how to comply with the EU Data Protection Directive and the e-Privacy Directive.

The DPAs say that consent has to be freely given, specific and informed. In the context of smart devices, ‘freely given’ consent means that users must have the choice to accept or refuse the processing of their personal data.

The DPAs demand specific consent for each type of data the app will access, at least in the following categories: Location, Contacts, Unique Device Identifier, Identity of the data subject, Identity of the phone, Credit card and payment data, Telephony and SMS, Browsing history, Email, Social networks credentials and Biometrics. Specific consent means that individuals can specifically control which personal data processing functions offered by the app they want to activate. Developers should not change the purposes of data processing without asking for consent again.

Privacy policies should be simple and preferably layered. They need to, amongst other things, inform individuals if the data will be used for third party purposes, such as advertising or analytics. Information must be provided prior to the collection of data.

See the Opinion.

There will be a session on privacy and mobile apps at Privacy Laws & Business’s 26th Annual International Conference 1-3 July at Queens’ College, Cambridge. Speakers in this session include: Dr Simon Rice, Group Manager (Technology), Information Commissioner’s Office, UK and member of the EU Art. 29 Data Protection Working Party’s Technology Subgroup on mobile apps and geolocation; Nick Graham, Partner, SNR Denton, London; and Kasey Chappelle, Global Privacy Counsel, Vodafone Group Services.