Brownlie v Four Seasons Group
The range of apps for mobile devices is astounding. I doubt that there is anyone reading this that does not have at least a few apps on their smartphone whether Runkeeper, Facebook, Instagram, Snapchat or even the latest find love app (swipe to left if it’s a no or to the right if it’s a yes).
In fact, according to the EU’s Data Protection Working Party, more than 1,600 apps are added to app stores daily and an average smartphone user is reported to have downloaded 37 apps in 2012 (alas, I am below average, shame!).
Something we do not necessarily think about when downloading and using an app is the amount of data it collects about us. Mobile apps can collect personal information such as location, contacts, credit card details, phone and messaging logs, browsing history, email, social media contacts, the identity of the phone and end user, photos, etc. Fortunately for app users, and unfortunately for ‘data controllers’ (see below), legislation governs the collection and use of personal data in the UK.
The collection and use of personal data in the UK is governed by the Data Protection Act 1998 (DPA) and overseen by the Information Commissioner. The DPA implements the EU’s Data Protection Directive (Directive 95/45/EC), which applies to all 28 Member States.
In short, Data Protection legislation requires the data controller (the person who determines the purposes for which and the manner in which any personal data is processed) to collect and use personal data in accordance with eight principles. The eight principles require personal information to be:
In practice, almost any business operating in the UK which holds information about individuals (whether employees, customers or anyone else) is potentially caught by this legislation.
The recent EU Data Protection Working Party’s opinion focussed on apps on smart devices and identified a number of data protection risks, notably:
The Working Party makes the point that many app developers are small start-ups unaware of their data protection obligations and that data protection breaches can create “significant risks to the private life and reputation of users of smart devices”.
The full opinion can be found on the European Commission's website: 'Data Protection, Opinions and recommendations'.
App developers, OS and device manufacturers and app stores– ignore this guidance at your peril! It is not binding but it is persuasive and likely to be noted if you are investigated by the Information Commissioner’s Office (ICO) or any other European national data protection authority. Breaches of data protection laws can result in criminal as well as civil liability in the UK, and of course, bad publicity. In the worst case scenario, you could be prosecuted personally under certain sections of the DPA resulting in an unlimited fine or face a monetary penalty of up to £500,000 for a serious breach.
Skip to content Home About Us Insights Services Contact Accessibility