Internet Explorer 11 (IE11) is not supported. For the best experience please open using Chrome, Firefox, Safari or MS Edge

Mobile applications (“apps”) are enjoying ever increasing popularity. It is estimated that total app downloads in 2013 alone will have been in the region of 102 billion, almost double that of 2012. Although around 91 per cent are still provided free of charge, 2013 will have seen total app revenues in the region of $25bn. With the increase in demand for smart devices reflecting a consistent decline in the PC market, the app sector is booming.

Smart devices collect and produce significant quantities of data, many of which are personal data. Users create and save large amounts of data, while the devices themselves also collect and process data from their range of sensors.
Application Programming Interfaces (APIs) enable apps to access the device components and the variety of sensors via the operating system (OS). APIs may provide apps with the ability to access and write contact data, send various forms of messages, use the camera, record audio and access stored pictures. APIs can also provide device information by way of a device’s unique identification number (UDID).

By the very nature of most apps, personal data is collected for the software to function. The EU Data Protection and ePrivacy Directives apply to any app targeted at, or used by, EEA users, regardless of app developer or app store location. These requirements cannot be contracted out of or waived, and result in a duty to process, retain and protect data in accordance with the law. In line with the increasing regulatory scrutiny of apps, the Article 29 Working Party recently published WP202, “Opinion 02/2013 on apps on smart devices” (the “Opinion”).

The Opinion suggests that a relevant factor of the app development landscape is the range of actors involved. Although app developers are primarily viewed as the ones who control and process the data, other parties such as app owners, app stores, OS and device manufacturers, and additional third parties such as analytics and advertising providers, may also access and process data. The Opinion asserts that a great deal of the data protection risk comes from this degree of fragmentation.

As the app development cycle tends to be notably short, and in light of the fact that countless apps are developed by individuals, many of whom may be based outside the EU and unfamiliar with such legal requirements, privacy can tend to take a backseat in the journey to market. In addition, the market itself is still relatively immature, having only developed in the last decade alongside an increase in the amount and types of data being captured and processed.

Recently, a torch app for Android, which had been downloaded between 50m and 100m times, came within the FTC’s headlights for silently sharing location and UDID data. The privacy policy failed to disclose the sharing of data with third parties, and the app itself was found to have collected and sent information before users had accepted, or refused, the terms of the agreement. Notwithstanding the focus on the individuals and inexperienced developers, larger outfits have also faced regulatory oversight and criticism.

Although app compliance with privacy laws is improving, problems frequently stem from the inadequacy (either in timing or information) or non-existence of the privacy policy and from a lack of meaningful consent. Transparency is a key aspect of data protection compliance and a clear, understandable and easily accessible privacy policy is a considerable step in the right direction. Sufficient disclosures in the privacy policy, particularly where surfaced to users prior to installation, assist in ensuring users’ consents are adequately captured. The Opinion also recommends seeking granular consent for categories of data access, and updated consent when changing processing purposes.

It is important that all stakeholders understand their privacy obligations. Privacy should be considered at all stages of development and production. Data minimisation practices, particularly with regard to location, contacts and UDID data should be observed to avoid unnecessary collection or processing. With the growth in the app sector mirrored by a marked increase in regulatory scrutiny, considerations of privacy and data protection should be front and centre.

For more information, contact a member of our Technology team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Share this: