This Time It's Personal
With its latest 'Opinion' on mobile apps announced yesterday, the Article 29 Working Party attempts to address the growing concern – sometimes referred to as the “creepiness” factor - that consumers have over being tracked on their mobile phones and devices.
Research by Ipsos MORI for TRUSTe showed that 79 per cent of British smartphone users said they avoided apps that they didn't believe protected their privacy. However, in doing so, the Article 29 WP greatly expands the definition of what is personal data under the EU’s 1995 data protection and e-privacy directives – finding that all data collected and used by a user’s “computer and other equipment” is personal data. And these new requirements may inhibit growth and innovation in the EU’s burgeoning mobile app industry.
When you classify something as personal data in the EU, a whole host of requirements become associated with the collection and use of that data – access rights, data retention and specification requirements, security – to name a few.
Under the Opinion’s expanded definition of personal data, most players in the mobile ecosystem would now be classified as data controllers – subject to all of the requirements that a data controller must comply with. In fact, the Opinion finds specific requirements for each segment of the mobile app ecosystem: developers, operating systems, stores and third parties (including ad networks).
Under the proposed regulation, classifying app developers as data controllers would trigger additional requirements – for instance, developers would be required to appoint a data protection officer and be subject to fines amounting to 2 per cent of their annual worldwide turnover for noncompliance!
Here are some specific instances where companies could be found to be data controllers under the Opinion:
- App developers who determine the “purpose and means of processing data” with their mobile apps
- Mobile operating systems that provide location data to app developers for geo-based features. Clearly, this may create disincentives for the OS to share location data with developers who want to include geo-location based features in their apps.
- Third parties, including ad networks, that process data for their own purposes - i.e. they are not specifically directed by another party
Data controllers must obtain consent for the processing of personal data. The Article 29 WP Opinion affirms a new standard known as explicit, “specific” consent for mobile app data collection and use. The app would have to inform you of the specific data it collected, and get the user’s unambiguous consent for each separate data collection. This means, for instance, that app developers would need to provide separate notice and obtain separate consent from the user for contact data and location data – you could not combine the notice and consent obligations into one event.
The Opinion also prescribes the elements of a mobile app notice. In addition to providing details on the user’s access rights, how data is collected, why and for whom, the app publisher or developer must also provide details of how the collected data is being secured, and “proportionality considerations for the types of data collected or accessed on the device.”
These elements are mostly similar to the formats presently under discussion in the US Department of Commerce’s Multistakeholder proceedings – however the Article 29 WP was careful not to prescribe exactly how (e.g. text vs. icons) this notice should be implemented.
Already, we see some DPAs (Data Protection Authority) like the UK’s Information Commissioner’s Office (ICO), preparing to educate app developers on the requirements, and how they translate under local laws. TRUSTe looks forward to working with both DPAs and the EU app developer community on implementing these requirements in a way that both respects EU data protection law and gives mobile app developers the flexibility to continue creating innovative (and useful) apps for consumers.
Saira Nayak is policy director at TRUSTe