Press Release - Article 29 Working Party
Joint Opinion on Mobile Apps
The European data protection authorities of the Article 29 Working Party, have adopted an opinion addressing the key data protection risks of mobile apps. The opinion details the specific obligations of app developers and all other parties involved in the development and distribution of apps under European data protection law. Other parties include app stores, advertising providers and Operating System and device manufacturers. Special attention is paid to apps targeting children.
On average, a smart phone user downloads 37 apps. These apps are able to collect large quantities of personal data from the device, for example by having access to the photo album or using location data. "This often happens without the free and informed consent of users, resulting in a breach of European data protection law", according to the Chairman of the Article 29 Working Party Jacob Kohnstamm.
Privacy risks mobile apps
Smart phones and tablets contain large quantities of intimate personal data from and about their users, such as contact details, locational information, banking details, photos and videos. In addition, these devices can record, or capture in real-time, a range of data types from a multitude of sensors including microphones, compasses or other devices used to track a user's movement. Although app developers want to provide new and innovative services, the apps may have significant risks to the private life and reputation of users of smart devices if they do not comply with EU data protection law.
Individuals must be in control of their own personal data. Therefore apps must provide sufficient information about what data they are processing before it takes place in order to obtain meaningful consent.
Poor security is another data protection risk, which could lead to unauthorised processing of personal data through the trend of data maximisation and the elasticity of purposes for which personal data is being collected, such as for 'market research'. This increases the possibility of a data breach.
Obligations and recommendations
There are many parties involved in the development and distribution of apps and each party has a set of important responsibilities to create a safe, secure and data protection compliant app environment. It is important that all those in the app ecosystem understand their own responsibilities, but to achieve the highest standards of privacy and data protection they must also collaborate with other parties in the app ecosystem.
The Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive 95/46/EC. It is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The Article 29 Working Party is competent to examine any question covering the application of the data protection directives in order to contribute to the uniform application of the directives. It carries out this task by issuing recommendations, opinions and working documents.