The Article 29 Working Party, which is a committee made up of representatives from each EU national data protection authority, has published an opinion setting out some of the risks to the privacy of smartphone users that can result from the use of third-party apps (30-page / 926KB PDF).
It said that mobile operating system and device manufacturers, app store operators and developers of apps should "collaborate" on data security in order to ensure the highest standards of data protection and privacy for users. This could include tighter control over application programming interfaces (APIs) by manufacturers, and more stringent review and rating processes by stores, it said.
In its opinion the Article 29 Working Party said that poor security measures; a lack of transparency about how data will be used, and a trend towards "data maximisation" contributed to the data protection risks found in the average 37 apps installed by smartphone users. End users had "little awareness" about the types of processing an app could carry out, and in many cases had not been provided with a means to give meaningful consent to the processing of their personal data, it said.
The Working Party said that APIs, which are used to give developers access to the underlying data on devices, gave manufacturers and app stores the opportunity to "enforce specific rules and offer appropriate information" to users. They should also "define standard methods to access the data" stored on the device which apps had access to, it said.
However data protection expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that the Working Party seemed to be equating device manufacturers with "gatekeepers", giving them the ultimate responsibility for revoking user consents.
"We can compare this to the discussion which was had some time ago where there were suggestions that ISPs should act in a similar role in relation to intellectual property infringement that took place online," he said. "Generally, the collective response to that argument was to move away from attributing responsibility to ISPs."
"Device manufacturers may reason that they are at a completely different level of the stack [to developers] – why should they have to take on this responsibility. Their approach likely will be 'keep us out of your content wars," he said.
Much of the data available on a smartphone amounts to 'personal data' for the purposes of EU data protection legislation. Many third-party apps have the ability to collect large quantities of data from these devices, including both data stored on the device by the user and data taken from different sensors, such as location data. This data can be used to provide "new and innovative services to the end user", the Working Party said. However, it may then be further processed in ways "unknown or unwanted by the end user", it said.
The opinion made it clear that a distinction should be drawn between a user's consent to allow cookies or other information collecting technologies to be placed on a device that enable the accessing of user information including contacts in the smartphone's address book, pictures or other documents; and the consent needed to make it legal for that data to be processed. Both types of consent must be "free, specific and informed" under the existing ePrivacy and data protection rules. The Working Party said that data processors were free to "merge" both types of consent, so long as the end user was made "unambiguously aware" of what was being consented to.
Although a 'single click' install could be enough to fulfil the first consent requirement, it would be "unlikely to provide sufficient information" to meet the second consent requirement, the Working Party said.
"In the context of smart devices, 'freely given' means that a user must have the choice to accept or refuse the processing of his personal data," the opinion said. "Therefore if an app needs to process personal data, a user must be free to accept or refuse. The user should not be confronted with a screen containing a single 'Yes I accept' option in order to finish the installation. An option to 'Cancel' or otherwise halt the installation must be available."
In order for consent to be "informed", the smartphone user must have been provided with the necessary information to form an accurate judgement "before any personal data is processed", the opinion said. It pointed out that, in some cases, data processing could take place during installation, for example for debugging or tracking purposes.
"Specific" meant that that consent must relate to the processing of a particular data item or limited category of data, and that therefore a "generally formulated authorisation" would not suffice. The best approach would be a "granular" one, in which separate consent was sought for each type of data the app intended to access, the Working Party said. Any default settings provided either by the app, or by the smartphone's operating system, would also have to prevent data processing or tracking of user behaviour without specific consent.
The Working Party said that once consent was obtained, it was important for those collecting the data to observe principles of "purpose limitation and data minimisation". "Alarming disregard" was being shown by those collecting data from apps, who were "widely" distributing it to third parties for "undefined or elastic purposes such as 'market research'," the opinion said. It cited recent research by the Wall Street Journal which showed that "many apps abundantly collect data from smartphones, without any meaningful relationship to the apparent functionality of the app".
"Unique, often unchangeable, device identifiers should not be used for the purpose of interest based advertising and/or analytics, due to the inability of users to revoke their consent," the Working Party said. "App developers should ensure that function creep is prevented by not changing the processing from one version of an app to another without giving the end users appropriate information notices and opportunities to withdraw from either the processing or the entire service."
Users should also be given access to "technical" information, such as the amount of outgoing traffic per app, to allow them to verify statements made by developers and manufacturers about the purposes their data was being processed for, it said.