On March 14, 2013, the European Union’s Article 29 Working Party published its opinion on the unique privacy and data protection issues faced by applications used on mobile device. The 30-page opinion provides an analysis of the technical and legal issues, and concludes with a series of recommendations to app developers, platform developers, equipment manufacturers and third parties.
In many respects, this new opinion of the Article 29 Working Party is very similar to the document that the Federal Trade Commissions has published recently on the same topic. It addresses many themes also found in the FTC documents regarding the use of mobile applications in general, or that mobile applications directed to children.
The Article 29 Opinion WP 202 provides two series of recommendations for application developers. The first set of recommendation is in fact a recitation of general principles set forth in the proposed Data Protection Regulation, but adapted to the specific context of the mobile world, with references to location data, unique device identifier, SMS. There are also references to other modern concepts, such as privacy design, also found on the proposed Data Protection regulation, but absent from Directive 95/46/EC, the directive currently in effect.
The second set of recommendations to application developers includes specific guidance on the actions to be taken. These include:
- Adopting appropriate measures that address the risks to the data;
- Informing users about security breaches;
- Telling users what types of data are collected or accessed on the device, how long the data are retained and what security measures are used to protect these data;
- Developing tools to enable users to decide how long their data should be retained, based on their specific preferences and contexts, rather than offering pre-defined retention terms;
- Including information in their privacy policy dedicated to European users;
- Developing and implementing simple but secure online access tools for users, without collecting additional excessive personal data;
- Developing, in cooperation with OS and device manufacturers and others, innovative solutions to adequately inform users on mobile devices, such as through layered information notices combined with meaningful icons.
The remainder of the recommendations is addressed to app stores, OS and device manufacturers, and third parties.
The protection of children reappears as a common theme in the different recommendations to the different players in the mobile market. Each set of recommendations provided in WP 202 stresses that they should limit their collection of information from children, and especially refrain from processing children’s data for behavioral advertising purposes, and refrain from using their access to a child’s account to collect data about the child’s relatives or friends.