Data protection in mobile apps: boring, but ignore it at your peril

The range of apps for mobile devices is astounding. I doubt that there is anyone reading this that does not have at least a few apps on their smartphone whether Runkeeper, Facebook, Instagram, Snapchat or even the latest find love app (swipe to left if it’s a no or to the right if it’s a yes).

In fact, according to the EU’s Data Protection Working Party, more than 1,600 apps are added to app stores daily and an average smartphone user is reported to have downloaded 37 apps in 2012 (alas, I am below average, shame!).

Something we do not necessarily think about when downloading and using an app is the amount of data it collects about us. Mobile apps can collect personal information such as location, contacts, credit card details, phone and messaging logs, browsing history, email, social media contacts, the identity of the phone and end user, photos, etc. Fortunately for app users, and unfortunately for ‘data controllers’ (see below), legislation governs the collection and use of personal data in the UK.

The collection and use of personal data in the UK is governed by the Data Protection Act 1998 (DPA) and overseen by the Information Commissioner. The DPA implements the EU’s Data Protection Directive (Directive 95/45/EC), which applies to all 28 Member States.

In short, Data Protection legislation requires the data controller (the person who determines the purposes for which and the manner in which any personal data is processed) to collect and use personal data in accordance with eight principles. The eight principles require personal information to be:

  1. fairly and lawfully processed
  2. processed for limited purposes
  3. adequate, relevant and not excessive
  4. accurate
  5. not kept longer than necessary
  6. processed in accordance with the data subject’s rights
  7. held securely
  8. not transferred to countries outside the European Union without adequate protection

In practice, almost any business operating in the UK which holds information about individuals (whether employees, customers or anyone else) is potentially caught by this legislation.

The recent EU Data Protection Working Party’s opinion focussed on apps on smart devices and identified a number of data protection risks, notably:

  • Lack of transparency. The end user of an app is often unaware of what information an app is collecting about them and for what purposes.
  • Lack of free and informed consent. Consent, if it is requested at all, is often limited to accepting the app’s terms and conditions. There is often no privacy policy and end users rarely have specifically to consent to sharing their personal information.
  • Trend towards data maximisation and disregard for the principle that data should be collected and processed for limited purposes. Whether it is out of ignorance or intentionally, many app developers collect data from smart devices which is unrelated to the app itself and is then distributed to third parties.
  • Poor security measures. App developers who suffer personal data breaches can leak a lot of personal information into the public domain. End users are often unaware of these breaches.

The Working Party makes the point that many app developers are small start-ups unaware of their data protection obligations and that data protection breaches can create “significant risks to the private life and reputation of users of smart devices”.

The Working Party recommends that app developers ensure that their apps ask for consent before they start to retrieve information from a smart device, that they respect the principle of data minimisation and that they be aware that consent does not legitimise excessive data processing. It suggests providing an easily accessible privacy policy and proactively informing users about the type of data collected and any data breaches. It also suggests that app developers develop tools to enable users to customise their preferences and retention periods in relation to their personal data and to enable tighter collaboration between the players in the smart device app field to ensure full and integrated compliance with data protection law.

The full opinion can be found on the European Commission’s website: ‘Data Protection, Opinions and recomendations‘.

Beware!

App developers, OS and device manufacturers and app stores– ignore this guidance at your peril! It is not binding but it is persuasive and likely to be noted if you are investigated by the Information Commissioner’s Office (ICO) or any other European national data protection authority. Breaches of data protection laws can result in criminal as well as civil liability in the UK, and of course, bad publicity. In the worst case scenario, you could be prosecuted personally under certain sections of the DPA resulting in an unlimited fine or face a monetary penalty of up to £500,000 for a serious breach.