Tag Archives: apps

Fresh EU data protection compliance guidance for mobile apps, from the EDPS

Posted on November 11, 2016 | Leave a comment

The European Data Protection Supervisor adopted this week “Guidelines on the protection of personal data processed by mobile applications provided by European Union institutions”.

While the guidelines are addressed to the EU bodies that provide mobile apps to interact with citizens (considering the mandate of the EDPS is to supervise how EU bodies process data), the guidance is just as valuable to all controllers processing data via mobile apps.

The Guidelines acknowledge that “mobile applications use the specific functions of smart mobile devices like portability, variety of sensors (camera, microphone, location detector…) and increase their functionality to provide great value to their users. However, their use entails specific data protection risks due to the easiness of collecting great quantities of personal data and a potential lack of data protection safeguards.”

Managing consent

One of the most difficult data protection issues that controllers of processing operations through mobile apps face is complying with the consent requirements. The Guidelines provide valuable guidance on how to obtain valid consent (see paragraphs 25 to 29).

  • Adequately inform users and obtain their consent before installing any application on user’s smart mobile device
  • Users have to be given the option to change their wishes and revoke their decision at any time.
  • Consent needs to be collected before any reading or storing of information from/onto the smart mobile device is done.
  • An essential element of consent is the information provided to the user. The type and accuracy of the information provided needs to be such as to put users in control of the data on their smart mobile device to protect their own privacy.
  • The consent should be specific (highlighting the type of data collected), expressed through active choicefreely given (users should be given the opportunity to make a real choice).
  • The apps must provide users with real choices on personal data processing: the mobile application must ask for granular consent for every category of personal data it processes and every relevant use. If the OS does not allow a granular choice, the mobile application itself must implement this.
  • The mobile application must feature functionalities to revoke users’ consent for each category of personal data processed and each relevant use. The mobile application must also provide functionalities to delete users’ personal data where appropriate.

The Guidelines invite controllers to “analyse the compliance of its intended processing before implementing the mobile application during the feasibility check, business case design or an equivalent early definition stage of the project”. The controller “should take decisions on the design and operation of the planned mobile application based on an information security risk assessment”.

Other recommendations concern:

  • data minimisation – “the mobile application must collect only those data that are strictly necessary to perform the lawful functionalities as identified and planned”.
  • third party components or services – “Assess the data processing features of a third party component or of a third party service before integrating it into a mobile application”.
  • security of processing – “Apply appropriate information security risk management to the development, distribution and operation of mobile applications” (paragraphs 38 to 41).
  • secure development, operation and testing – “The EU institution should have documented secure development policies and processes for mobile applications, including operation and security testing procedures following best practices”.
  • vulnerability management – “Adopt and implement a vulnerability management process appropriate to the development and distribution of mobile applications” (paragraphs 47 to 51).
  • protection of personal data in transit and at rest – “Personal data needs to be protected when stored in the smart mobile device, e.g. through effective encryption of the personal data”.

 

***

Find what you’re reading useful? Consider supporting pdpecho.

 

 

Leave a comment

Posted in News

Tagged , , , , , , , , , , ,

Mobile Experts Disagree on Who Should Protect Privacy

Posted on May 7, 2012 | Leave a comment

Users of mobile apps need more information about the ways those apps use their personal information, a group of experts agreed Thursday, but they didn’t agree on who is most responsible for protecting user privacy, writes pcworld.com.

Apple and Google can better police their app marketplaces, although both companies have several good privacy protections, said Todd Moore, founder of app vendor TMSoft, during a discussion on mobile app privacy at the State of the Mobile Net conference in Washington, D.C. The operators of the iPhone and Android app marketplaces are in the best position to enforce privacy controls and set rules limiting the amount of information apps can collect, he said.

One app marketplace required Moore’s sound app to have access to information about whether the phone was being used for a voice call, so that the app could turn off sounds during a call. Some TMSoft customers have questioned why the app wants that access, Moore said. “I don’t want that level of access,” he added.

But Ashkan Soltani, an independent security and privacy researcher, said app developers bear most of the responsibility for protecting privacy. App developers need to police themselves, given that many consumers don’t understand the privacy implications of the apps they download, he said.

Read the whole story, HERE.

Leave a comment

Posted in News

Tagged , , , , ,