On March 14, 2013, the European data protection regulators (the Article 29 Working Party, or WP) issued a 30-page opinion addressing how mobile apps should comply with EU data protection law (the Opinion). The main focus of the Opinion is on app developers, but it also describes the obligations of other parties involved in the development and distribution of apps, such as app stores, operating system and device manufacturers, and third-party advertising providers.
While the WP opinions are not binding, they give a clear indication of how data protection authorities in the EU (DPAs) would interpret their national laws and therefore should be taken into account when developing new apps targeted at EU individuals. According to the Opinion, the use of apps entails a number of risks such as a lack of transparency and awareness with regard to the type of processing an app may undertake, a lack of meaningful consent from individuals, poor data security measures, and a high degree of fragmentation among the various players in the app ecosystem.1 To address these risks, the WP provides a number of recommendations that we have summarized below.
1. EU Data Protection Law Applies to Any App Targeted at EU Users
The WP takes the view that EU data protection law applies not only to entities with an establishment in the EU processing personal data via an app, but also to any entity located outside the EU collecting personal data of individuals located in the EU via an app, regardless of the location of the app developer or the app store. According to the WP, targeting users within the EU and collecting personal data via an app is sufficient to trigger the application of the whole set of EU data protection requirements.
Under EU data protection law, the concept of "personal data" is interpreted extremely broadly. In the app context, this includes location, contacts, unique device identifier (e.g., IMEI, IMSI, UDID, and mobile phone numbers), identity of the user of the phone, credit card and payment data, SMS, browsing history, email, social-network authentication credentials, pictures, videos, and biometrics.
In addition, the cookies consent requirements of the EU e-Privacy Directive apply to any entity that reads or accesses information on mobile devices of users located in the EU, wherever their location may be.
2. Roles and Responsibilities of Players in the App Ecosystem
The Opinion identifies the various players involved in the app ecosystem and defines their roles and responsibilities.
App developers: App developers are the main players responsible for compliance with EU data protection law since they decide to what extent the app will access and process the several categories of personal data in the device and/or through remote computing resources (e.g., the app requires access to the entire address book to deliver the service). They therefore are considered to be data controllers and should comply with the whole set of requirements of EU data protection law. Unfortunately, no consideration is given to situations where app developers only develop an app that is then used by a corporation for its own purpose.
Operating system (OS) and device manufacturers: In some cases, the OS or device manufacturers also can be considered to be data controllers subject to EU data protection law. For example, when an app uses location data, the OS may collect this data to provide it to the app, and also may consider using the data to improve its own location services. In addition, OS and device manufacturers play a key role in implementing the principles of "privacy by design" and "privacy by default."
App stores: App stores also may process personal data as data controllers and thus be subject to EU data protection law. For example, an app store typically collects record log-in credentials, the history of previously purchased apps, and user credit-card numbers. According to the WP, app stores must implement checks and procedures to ensure that every app targeted at EU individuals complies with the main EU data protection principles. For instance, the app store should check the hyperlinks to privacy notices posted on the apps and remove those with broken links or otherwise inaccessible information.
Third-party advertising and analytics: Third parties may execute operations on behalf of the app developer (e.g., provide analytics) and thus be considered to be data processors. Third parties also may collect information across apps to supply additional services of their own (e.g., provide personalized recommendations) and thus be data controllers directly subject to EU data protection law. When online behavioral advertising (OBA) is conducted, companies must comply with the e-Privacy consent requirement—in particular for the analysis and combination of data to create user profiles and for accessing or storing information on user devices.
3. User Consent as a Cornerstone of App Compliance
According to the WP, the principal legal basis for processing personal data in the context of apps is consent. However, consent must meet a number of requirements to comply with EU data protection law. In particular, it must be:
Freely given: Users must have the choice to accept or refuse the processing of their personal data and should not be confronted with a screen containing a single "Yes I accept" option in order to finish the installation. Instead, an option to cancel or otherwise halt the installation must be available.
Informed: To obtain meaningful consent, users must be provided with the information necessary to form an accurate judgment. In most cases, such information should be provided prior to the app installation.
Furthermore, users have the right to withdraw their consent at any time and should be provided with the ability to do so in a simple way (e.g., via an option to uninstall the app and have all data deleted).
4. Additional Guidelines for App Developers
In addition to the consent requirement described above, the WP provides comprehensive guidance on how to comply with the EU data protection principles. It emphasizes the concept of privacy by design (e.g., app developers should take this guidance into account at an early stage) and encourages the various players in the app ecosystem to work together to ensure compliance during the app's entire lifecycle. We have listed below some of the main learnings from the Opinion.
Data minimization and purpose limitation: App developers must only collect and process the data that is strictly necessary to perform the app functionalities. A sudden change of purpose after the data collection or the intent to process data in a new way (e.g., merging data from different apps) would require additional consent. In addition, obtaining consent from users does not give "carte blanche" to the data controller and does not justify data processing that is excessive or disproportionate to the service (e.g., alarm clock app with verbal "snooze" features performs recordings while alarm is not sounding).
Security measures: According to the WP, the involvement of various actors in the app ecosystem can lead to weak security measures and consequently to unauthorized processing and data breaches.4 All players thus should implement the "privacy by design and by default" principles in the various stages of the app's lifecycle. The WP describes in detail what it considers to be good security practices.
Users' rights: Apps must clearly and visibly inform users about their rights, in particular about the existence of access and correction mechanisms, through secure online access tools that should be available within the app or by a link to an online feature. Users also should be provided with the possibility to withdraw their consent in a simple and non-burdensome manner.
Retention periods: Personal data only may be retained for a pre-defined and reasonable period of time. In addition, app developers should pre-define a period of inactivity upon expiration of which the app should alert the user and, in the case of non-responsiveness, have the data deleted or irreversibly anonymized.
Children protection: The WP shares the concerns expressed by the FTC in its Staff Report on mobile apps for kids5 and emphasizes the need for fair processing of children's data within apps. Apps for minors should pay attention to the age limit defined under national legislation, the requirement of parental consent, and data-minimization and purpose-limitation principles. Children's data should not be used for behavioral advertising purposes, directly or indirectly, as this will be outside the scope of a child's understanding. Information directed to children should be presented in age-specific language.
5. Increased Global Scrutiny
The Opinion follows a trend of increased scrutiny of the mobile app ecosystem by both EU and U.S. regulators. Just last month, the FTC issued a report on mobile privacy disclosures containing recommendations for app platforms, operating system providers, app developers, ad networks, and other third parties on how to improve privacy disclosures for consumers using mobile devices.6 The FTC also released two reports last year that surveyed mobile apps for children and criticized current disclosure practices. The FTC has stepped up enforcement in the mobile space as well, recently entering into consent decrees with handset manufacturer HTC over alleged security concerns and mobile developer Path over alleged privacy misrepresentations and the collection of children's personal information.7 The FTC's demonstrated interest in mobile privacy and security, along with the WP's issuance of the Opinion, shows that entities in the mobile app ecosystem need to be aware of the increased scrutiny they may face both at home and abroad.
Mobile apps are definitely on the radar of EU regulators. According to the Opinion, every entity involved in the app ecosystem and targeting EU individuals is subject to the whole set of EU data protection obligations, regardless of location. Although one can argue over some of the Opinion's points, it is clear that it demonstrates the interest of EU regulators in the mobile app field and gives a good indication of how EU regulators would apply EU data protection principles in a particular case. Therefore, mobile app providers targeting EU individuals should review their practices in light of EU data protection law and assess how they can comply with those requirements.
Wilson Sonsini Goodrich & Rosati's privacy and data security practice routinely advises clients on privacy and data security matters, including compliance with EU privacy or data protection legislation. The firm also regularly assists companies with all legal aspects associated with the collection, use, and disclosure of consumer data. For more information on our privacy and data security practice, please click here. For additional information, please contact Christopher Kuner at firstname.lastname@example.org or +32 2 274 57 20, Cédric Burton at email@example.com or +32 2 274 57 22, Anna Pateraki at firstname.lastname@example.org or +32 2 274 57 21, or Edward Holman at email@example.com or +1 202 973 8804.