Because of the data protection risks they pose and their widespread use, mobile phone apps are currently a priority for the EU data protection authorities.
The Article 29 Data Protection Working Party has recently submitted its Opinion 02/2013 on the processing of personal data on apps on smart devices. The relevant legal framework is the Data Protection Directive together with parts of the ePrivacy Directive.
The report is of particular importance for app developers but is also relevant to app owners, app stores, operating system and device manufacturers and other third parties that may be involved in the collection and processing of personal data from smart devices – such as analytics and advertising providers.
The Opinion focuses on the need for an organisation wishing to rely on user consent to process personal data to provide sufficient information so that the end user can make an informed decision on this and to gain their specific consent before the app is installed. There is also a requirement that the end user can withdraw their consent with ease and be able to access, rectify, object to and erase any data should they so wish.
In addition, the Opinion covers the principles of purpose limitation and data minimisation – i.e. data can only be collected for a specific, legitimate purpose, must not be further processed in a way that is incompatible with that purpose and no more information than is needed for that purpose is held – the need to take adequate security measures, the obligation to correctly inform end users, their rights, reasonable data retention periods and, specifically, fair processing of data collected from and about children.
For advice on your legal responsibilities on any data protection matter, contact us.