The Article 29 Working Party – the data protection working group for the European Union which is composed of representatives from the European Commission and the data protection authorities of EU member states – recently released it Opinion 2/2013 on smart devices and mobile apps. According to the Opinion, app developers are subject to some burdensome and sweeping obligations. Among other things, the Working Party has found that, in keeping with the requirements of the EU Directive on data protection and the ePrivacy Directive, all app developers must:
- Ask for consent before the app is installed by the user, and that consent must be freely given, specific and informed.
- Get specific “granular” consent to each of the following categories of data that the app will access : location info, contact, UDID, identity or name of data subject, “identity of the phone,” payment data, SMS, telephony and SMS, browsing history, email, social network credentials and biometrics.
- Be aware that “consent does not legitimize excessive or disproportionate data processing.”
- Get renewed consent for any changes in processing, including for advertising and analytics purposes.
- Provide app users a single point of contact.
The Working Party also separately recommends other guidelines and practices for app developers , and sets forth requirements and recommendations for the various other players in the mobile app ecosystem, including device manufacturers, app stores and third party advertisers and analytics providers. Of note, app stores must, according to the Report, enforce app developers’ obligations to provide notice of information processing.
Working Party Opinions are not binding but are considered very persuasive by the data protection authorities of EU member states and the European Commission. The full report is available here.