App developers using data without consent, says watchdog

Clicking "install app" on a mobile device does not amount to personal data consent, according to EU privacy watchdog, the Article 29 Data Protection Working Party.

Much of this data is processed to provide a revenue stream, which the working party claims may be "unknown or unwanted" by the consumer.

The working party is composed of representatives of the data protection authorities in each EU country along with a representative of the European Commission.

In its opinion article, the group said that in the case of apps accessing data stored on the device such as contacts, pictures, videos and documents, Article 5(3) of the ePrivacy Directive requires consent from the user, after the user is provided with clear and comprehensive information.

It goes on to state that an "install" button is unlikely to provide sufficient information in order to act as valid consent for the processing of personal data.

Consent for making it legal for personal data to be processed is a separate type of consent, it said, from that of users' consent to allow access of their information, and both types require "free, specific and informed" consent.

A lack of awareness of the law among developers coupled with a fractured app ecosystem creates serious data protection risks for users, the working party continued. These risks include a lack of transparency and awareness among app users, poor security measures, invalid consent mechanisms and a trend towards "data maximisation".

The watchdog called for manufacturers of devices, operating system developers, app stores and third parties such as analytics providers and advertising networks to collaborate in order to achieve the "highest standards of privacy and data protection".

The majority of the responsibility, it said, goes to the app developers, who need to provide a readable, understandable and easily accessible privacy policy that informs users about the precise categories of personal data the app wants to collect and process; why the data processing is necessary; and whether data will be disclosed to third parties.