Android and iOS apps subject to EU privacy regulations - ICO

Apps downloadable to mobile devices are subject to the European Union's Privacy and Electronic Communications Regulations, according to deputy commissioner David Smith, and the Information Commissioner's Office (ICO) will be examining them closely to monitor compliance.

The laws, which came into force in May 2011, regulate the use of data, such as cookies, planted on PCs and other devices. Rather than prohibiting them, it requires that users provide informed consent. This will necessitate informing web users that cookies are used, what they do, and offering the user the option not to have those cookies downloaded to their device.

"Apps are one of the items on our list," warned Smith. "It's quite clear that if someone is storing something on a device, or accessing information that is already stored on a device, one of the issues might be the form of consent when an app is downloaded.

"We've all downloaded an app and clicked ‘okay', but how informed are we? How do they get messages across? How do they say, ‘did you know this app is going to access your phone ID and your location?'" said Smith.

He added: "There are wider issues around apps and privacy, of which this is a part, but that's something that we are looking to deal with in the future."

Smith was speaking as the first year that the new regulations have been in operation draws to a close on 26 May. During this period, the ICO has adopted a softly, softly approach in which it has issued guidance and advice to businesses, appreciating that it might not be a straightforward process for many organisations to make the desired changes straightaway.

At the moment, the focus of the ICO is on cookies. The Commissioner will write to a top-50 list of websites in the UK in the next week to ascertain their compliance with the new regulations.

While Smith did not name any of the organisations that the ICO will be writing to, they will almost certainly include all the major media websites, such as Telegraph.co.uk, Dailymail.co.uk and Guardian.co.uk, as well as the operators of the government's big departmental websites – many of which are not yet compliant with the new law.

[Turn to next page]

Android and iOS apps subject to EU privacy regulations - ICO

While most organisation still have not got to grips with the new regulations, the ICO will make a distinction between different types of non-compliance. "Tracking cookies for online behaviourial advertising – third-party cookies – are at the more intrusive end of the scale, whereas cookies that are simply used to develop analytics of website usage are at the lower end of the scale," said Smith.

"That will inform enforcement action. We are not about enforcing the letter of the law for the sake of it. We are about enforcing the law as a means to protect people's privacy. The more that is at risk, the more likely we are to take enforcement action," he added.

Furthermore, it will not be rushing to impose sanctions against non-compliant organisations at this stage. "We do have powers to impose monetary penalties of up to half-a-million pounds. We don't rule that out in this area. But it is most unlikely that breaches of the cookie requirement will meet the criteria that we have to satisfy before we can impose a penalty," he added.

However, one of the major challenges that the Information Commissioner faces is the issue of jurisdiction. In Europe, many technology companies are based in Ireland, the Netherlands or Luxembourg for tax purposes, which will put them under those countries' respective data protection regimes, even if they do business in the UK.

Organisations operating websites or selling apps on the Android or iOS markets outside the European Union will not be subject to such regulations at all – even if they conduct business in the UK.