Apps and privacy – developing applications with privacy protection in mind
Limited barriers to entry and potentially low costs of development have led to an explosion in the number of applications developed for mobile devices such as smartphones and tablets.
By the end of 2013 it is estimated that over 2 million applications will be available from the main appstore providers.
Yet alongside this growth in apps has been a rise in concern for user privacy. Apps can collect significant information about users and their devices, often without their knowledge or permission. Surveys of apps have also revealed limited understanding or awareness by developers of the importance of data protection, as well as instances of misuse of applications to gain covert access to user information.
It is against this background that a working party of European data protection regulators, (the Article 29 Working Party) has published its view on the privacy risks with applications and what each of the different players in this marketplace must do to comply with data protection law. These players include app developers, app stores, OS providers, device manufacturers and third parties. The working party considers the responsibilities of each of these different players but points to app developers bearing the brunt of the compliance burden, as they typically have the greatest control over how personal information of users is collected and on how information in the app is presented to users.
At first glance this may smack of another example of innovation being stifled by EU regulators but reading between the lines of the legalese, there is an important message. The trust of users is key to their take-up of mobile apps. Just because it is technologically possible to design an app to harvest information from a user's device does not mean a developer is entitled to do so or that this would be fair to users.
For an app to succeed from both a data protection compliance and arguably from a commercial standpoint, it must engage with the user by first providing comprehensive information in 
clear and plain language about the features of the app, what information will be accessed by whom and how it will be used or disclosed. Based on this information the user should be free to accept or refuse the installation of the app; be able distinguish between the different data the app will access; and consent to the different uses proposed for this information. Merely offering a single 'Accept' or 'Install' button is unlikely to give sufficient information on which to collect a valid user consent.
This 'granular' approach to consent is particularly important when collecting data such as a user's location, contacts, unique device identifiers, identity, payment and browsing data. It should also be supported by a privacy policy that is easily accessible from both the app store and within the app after installation. This policy should give clear information about the right of users to rectify, erase or block their data and make clear how long collected data will be held. Developers should note, however, that no matter how clearly a privacy policy is presented, it may not be possible to obtain consent from children and certain uses of children's data, such as for online behavioural advertising should be prohibited.
The Working Party also takes the view that App developers should only collect data for clearly defined purposes. They point to the "alarming disregard" with which data from apps is distributed to third parties for "undefined or elastic purposes such as market research" and caution against data being used for reasons unconnected with the core functionality of the app.
Finally, security does not escape the attention of the Working Party which calls for, among other things: robust security features to be hardwired into the design of apps; tools to allow apps to be run separately within sandboxed environments; and prevention of malicious apps from spreading. Use of device identifiers in apps should also be avoided in favour of app specific or temporary identifiers to avoid tracking of users or wider dissemination of this data and there should be ongoing resilience testing of apps to identify and fix any vulnerabilities in the software.
Clearly the views of the Working Party offer food for thought. Those app developers who take heed of these views to deliver applications that comply with data protection law will also engage the trust of users and, ultimately, gain the competitive advantage in what is an increasingly crowded marketplace.
For more detail on the Article 29 Working Party Opinion on apps on smart devices, click here.
If you have any questions on this article please contact us.
Related articles
Sally Annereau
Sally Annereau looks at what the views of EU data protection regulators mean for those developing apps for mobile and smart devices.
"Just because it is technologically possible to design an app to harvest information from a user's device, does not mean a developer is entitled to do so or that this would be fair to users."