The Article 29 Working Party announced (pdf) that it has released a joint “Opinion 02/2013 on apps on smart devices” (Working Party pdf; archive pdf). The Working Party said in its announcement that the opinion “details the specific obligations of app developers and all other parties involved in the development and distribution of apps under European data protection law. Other parties include app stores, advertising providers and Operating System and device manufacturers. Special attention is paid to apps targeting children.” Here’s more from the joint opinion’s summary:
There are hundreds of thousands of different apps available from a range of app stores for each popular type of smart device. It has been reported that more than 1,600 new apps are added to app stores daily. An average smartphone user is reported to download 37 apps. Apps may be offered for little or no upfront cost to the end user and can have a user base of just a few individuals or many millions.
Apps are able to collect large quantities data from the device (e.g. data stored on the device by the user and data from different sensors, including location) and process these in order to provide new and innovative services to the end user. However, these same data sources can be further processed, typically to provide a revenue stream, in a manner which may be unknown or unwanted by the end user.
App developers unaware of the data protection requirements may create significant risks to the private life and reputation of users of smart devices. The key data protection risks to end users are the lack of transparency and awareness of the types of processing an app may undertake combined with a lack of meaningful consent from end users before that processing takes place. Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment. […]
Many types of data available on a smart mobile device are personal data. The relevant legal framework is the Data Protection Directive, in combination with the protection of mobile devices as part of the private sphere of users contained in the ePrivacy Directive. These rules apply to any app targeted to app users within the EU, regardless of the location of the app developer or app store.