Privacy in the mobile age? You’re doing it wrong, say EU regulators

Everyone knows how finicky the European Union is when it comes to data protection in the cloud, but until now there hasn’t been much noise regarding the humble smartphone app. Now a group of privacy regulators from across Europe has published its opinion on that subject, and the result may be a world of pain for anyone involved in the mobile ecosystem.
The group is called the Article 29 Working Party and, while it doesn’t make laws, it does have a great deal of influence over those who do, and over the way in which privacy laws are interpreted. Its opinion (PDF warning) on mobile apps will be unwelcome in many quarters because it states that just about everyone in the mobile industry — app developers, app store proprietors and even OS and device vendors — has a range of legal obligations around protecting and properly collecting and processing user data.
Compliance with E.U. data protection law means sticking to several principles. First and foremost, the user needs to give full and unambiguous consent to having their data processed. Data processing has to be for a legitimate purpose — like the app’s stated use case — and everyone has a responsibility to keep personal data secure.
Even those mobile players who are trying to stick to the rules may find the task more complex than they first imagine. Here’s an example given by the regulators (with bold type reflecting my emphasis):

“An app provides information about nearby restaurants. To be installed the app developer must seek consent. To access the geolocation data, the app developer must separately ask for consent, e.g. during installation or prior to accessing the geolocation. Specific means that the consent must be limited to the specific purpose of advising the user about nearby restaurants. The location data from the device may therefore only be accessed when the user is using the app for that purpose. The user’s consent to process geolocation data does not allow the app to continuously collect location data from the device. This further processing would require additional information and separate consent.
Similarly, for a communication app to access the contact list, the user must be able to select contacts that the user wishes to communicate with, instead of having to grant access to the entire address book (including contact details of non-users of that service that cannot have consented to the processing of data relating to them).”

How about app stores? Here, the working party recommends that apps “should not just be rated by users for how ‘cool’ they are, but also on the basis of their functionalities, with specific reference to privacy and security mechanisms”.
These kinds of recommendations may seem a tall order, but they are doable. However, the working party seems under no illusion about the challenge it faces. Here’s the whole problem with ensuring the rules get stuck to, distilled into a single passage:

“A high risk to data protection comes from the degree of fragmentation between the many players in the app development landscape. A single data item can, in real time, be transmitted from the device to be processed across the globe or be copied between chains of third-parties. Some of the best known apps are developed by major technology companies but many others are designed by small start-ups. A single programmer with an idea and little or no prior programming skills can reach a global audience in a short space of time. App developers unaware of the data protection requirements may create significant risks to the private life and reputation of users of smart devices. Simultaneously, third-party services such as advertising are developing rapidly, which, if integrated by an app developer without due regard, may disclose significant amounts of personal data.”

There’s the rub. The creation and distribution of apps can involve many, many parties, with services interlinked in a way that’s hard to keep track of — especially since one of the fundamentals of EU data protection law is that the user is kept fully informed of what’s happening with their data, the likelihood of proper compliance breaks down on that point alone. That’s before we even get to the thorny issue of who is situated where and whether sending data to that location means breaking the rules, or how many opportunities for a security breach get opened up by having so many links in the chain.
It’s one thing imposing these rules on a big cloud provider, but what about the one or two-person team that comes up with some app that taps into multiple APIs linking to services around the world? Are they supposed to have a designated data controller within their organization, keeping an eye on compliance? That’s hardly going to be top of their agenda when their app may have been created and set live practically on a whim.
What the Article 29 Working Party is doing here is noble — and I don’t mean that dismissively. We should all be thinking about this stuff. Low barriers to entry shouldn’t be an excuse for ignoring a cumulative effect of privacy erosion.
The question is, are these guidelines going to stay a wishlist, or are we going to see Europe’s regulators enforce them? That’s what these opinions often presage, so we may soon find out what privacy regulation really means in the mobile age.