Opinion 02 /2013 on apps on smart devices
Art. 29 Data Protection Working Party, Opinion 02 /2013 on apps on smart devices, 02/2013, 27.02.2013
|Abstract|| There are hundreds of thousands of different apps available
from a range of app stores for each popular type of smart device . It has been reported that more than 1,600 new apps are added to app stores daily. A n average smartphone user is reported to download 37 apps . Apps may be offered for little or no upfront cost to the end user and can have a user base of just a few individuals or many millions. Apps are able to collect large quantities data from the device (e.g. data stored on the device by the user and data from different sensors, including location) and process these in order to provide new and innovative services to the end user. However, these same d ata sources can be further processed, typically to provide a revenue stream, in a manner which may be unknown or unwanted by the end user. App developers unaware of the data protection requirements may create significant risks to the private life and rep utation of users of smart devices. The key data protection risks to end user s are the lack of transparency and awareness of the types of processing an app may undertake combined with a lack of meaningful consent from end users before that processing takes place. P oor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment . A high risk to data protection also stems from the degree of fragmentation between the many players in t he app development landscape. They include: app developers; app owners; app stores
Operating S ystem and device manufacturers (OS and device manufacturers); and other third parties that may be involved in the collection and processing of personal data from smart devices, such as analytics and advertising providers. Most conclusions and recommendations in this Opinion are aimed at app developer s (in that they have the g reatest control over the precise manner in which the processing is undertaken or information presented within the app), but often, in order for them to achieve the highest standards of privacy and data protection, they have to collaborate with other partie s in the app ecosystem . This is particularly important with regard to security , where the chain of multiple actors is only as strong as its weakest link. Many types of data available on a smart mobile device are personal data. The relevant legal framework is the Data Protection Directive, in combination with the protection of mobile devices as part of the private sphere of users contained in the ePrivacy D irective. These rules apply to any app targeted to app users within the EU , regardless of the location of the app developer or app store. In this opinion the Working Party clarifies the legal framework applicable to the processing of personal data in the development, distribution and usage of apps on smart devices, with a focus on the consent requirement, the principles of purpose limitation and data minimisation, the need to take adequate security measures, the obligation to correctly inform end user s, their rights, reasonable retention periods and specifically, fair processing of data col lected from and about children.