‘Appy Campers - Mobile Apps and Data Privacy
06 March 2014
by Jevan Neilan, Associate
Mobile applications (“apps”) are enjoying ever increasing popularity. It is estimated that total app downloads in 2013 alone will have been in the region of 102 billion, almost double that of 2012. Although around 91 per cent are still provided free of charge, 2013 will have seen total app revenues in the region of $25bn. With the increase in demand for smart devices reflecting a consistent decline in the PC market, the app sector is booming.
Smart devices collect and produce significant quantities of data, many of which are personal data. Users create and save large amounts of data, while the devices themselves also collect and process data from their range of sensors.
Application Programming Interfaces (APIs) enable apps to access the device components and the variety of sensors via the operating system (OS). APIs may provide apps with the ability to access and write contact data, send various forms of messages, use the camera, record audio and access stored pictures. APIs can also provide device information by way of a device’s unique identification number (UDID).
By the very nature of most apps, personal data is collected for the software to function. The EU Data Protection and ePrivacy Directives apply to any app targeted at, or used by, EEA users, regardless of app developer or app store location. These requirements cannot be contracted out of or waived, and result in a duty to process, retain and protect data in accordance with the law. In line with the increasing regulatory scrutiny of apps, the Article 29 Working Party recently published WP202, “Opinion 02/2013 on apps on smart devices” (the “Opinion”).
The Opinion suggests that a relevant factor of the app development landscape is the range of actors involved. Although app developers are primarily viewed as the ones who control and process the data, other parties such as app owners, app stores, OS and device manufacturers, and additional third parties such as analytics and advertising providers, may also access and process data. The Opinion asserts that a great deal of the data protection risk comes from this degree of fragmentation.
As the app development cycle tends to be notably short, and in light of the fact that countless apps are developed by individuals, many of whom may be based outside the EU and unfamiliar with such legal requirements, privacy can tend to take a backseat in the journey to market. In addition, the market itself is still relatively immature, having only developed in the last decade alongside an increase in the amount and types of data being captured and processed.
It is important that all stakeholders understand their privacy obligations. Privacy should be considered at all stages of development and production. Data minimisation practices, particularly with regard to location, contacts and UDID data should be observed to avoid unnecessary collection or processing. With the growth in the app sector mirrored by a marked increase in regulatory scrutiny, considerations of privacy and data protection should be front and centre.