Mobile apps and data privacy: what developers need to know

9 Nov 2015

’Appy campers consider privacy from the start of app development. Image via Shutterstock

This week in Tech Law, Mason Hayes & Curran revives an earlier post which considers mobile apps and data protection.

With the increase in demand for smart devices reflecting a consistent decline in the PC market, the app sector is booming.

Smart devices collect and produce significant quantities of data, many of which are personal data. Users create and save large amounts of data, while the devices themselves also collect and process data from their range of sensors.

Application programming interfaces (APIs) enable apps to access the device components and the variety of sensors via the operating system (OS). APIs may provide apps with the ability to access and write contact data, send various forms of messages, use the camera, record audio and access stored pictures. APIs can also provide device information by way of a device’s unique identification number (UDID).

EU guidelines for data protection in apps

By the very nature of most apps, personal data is collected for the software to function. The EU Data Protection and ePrivacy Directives apply to any app targeted at, or used by, EEA users, regardless of app developer or app store location.

These requirements cannot be contracted out of or waived, and result in a duty to process, retain and protect data in accordance with the law. In line with the increasing regulatory scrutiny of apps, the Article 29 Working Party recently published WP202, ‘Opinion 02/2013 on apps on smart devices’.

The Opinion suggests that a relevant factor of the app development landscape is the range of actors involved. Although app developers are primarily viewed as the ones who control and process the data, other parties such as app owners, app stores, OS and device manufacturers, and additional third parties such as analytics and advertising providers, may also access and process data. The Opinion asserts that a great deal of the data protection risk comes from this degree of fragmentation.

Privacy risks in an immature sector

As the app development cycle tends to be notably short, and in light of the fact that countless apps are developed by individuals, many of whom may be based outside the EU and unfamiliar with such legal requirements, privacy can tend to take a backseat in the journey to market. In addition, the market itself is still relatively immature, having only developed in the last decade alongside an increase in the amount and types of data being captured and processed.

A torch app for Android, which had been downloaded between 50m and 100m times came within the FTC’s headlights for silently sharing location and UDID data. The privacy policy failed to disclose the sharing of data with third parties, and the app itself was found to have collected and sent information before users had accepted, or refused, the terms of the agreement.

Notwithstanding the focus on the individuals and inexperienced developers, larger outfits have also faced regulatory oversight and criticism.

Building privacy-conscious apps

Although app compliance with privacy laws is improving, problems frequently stem from the inadequacy (either in timing or information) or non-existence of the privacy policy and from a lack of meaningful consent.

Transparency is a key aspect of data protection compliance and a clear, understandable and easily accessible privacy policy is a considerable step in the right direction. Sufficient disclosures in the privacy policy, particularly where surfaced to users prior to installation, assist in ensuring users’ consents are adequately captured. The Opinion also recommends seeking granular consent for categories of data access, and updated consent when changing processing purposes.

It is important that all stakeholders understand their privacy obligations. Privacy should be considered at all stages of development and production. Data minimisation practices – particularly with regard to location, contacts and UDID data – should be observed to avoid unnecessary collection or processing.

With the growth in the app sector mirrored by a marked increase in regulatory scrutiny, considerations of privacy and data protection should be front and centre.

By Jevan Neilan, associate, Mason Hayes & Curran

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out for more.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Apps development image by Bloomua via Shutterstock