The Developers of Mobile Applications and the Personal Data. Any Connection?

Claudia Jelea
Avocat & Consilier in domeniul marcilor
@IP Boutique

MANAGEMENT

Do we have to deal with personal data in our activity? What does this involve? These are legitimate questions for a mobile applications developer, since collecting these data has become an inherent phenomenon of the digital world and a more and more controversial topic along with the evolution of mobile applications, due to the various situations that can arise. Moreover, the subject is of a greater interest since, in the future, a tightening of sanctions is foreshadowed for non-compliance with the legislation of the personal data.

Therefore, no matter whether he is interested in a good reputation in front of the user who is more and more frightened by the perspective of having his personal life invaded, or whether he wants to protect himself against the contingent legal sanctions, the developer has to observe the laws in force. They are quite numerous and thick, and this article does not aim to present them all in detail. Instead, starting from the hypothesis below, we wish to present a few ground rules that are easy to keep in mind, which you can take into consideration in order to minimize the possible risks.

Hypothesis

A. is a company from Romania and it has just finished the process of development of a mobile application. It is an application created according to the internal specifications of A., with the intention of being commercially exploited under the company"s own brand, not an application that was ordered by an external client.

Before uploading the application on the relevant online platforms (Magazine Play, App Store, etc.) so as to make it available to the users, A. finds out that it should take one more aspect into consideration: through the application, certain data regarding the users will be collected on its server and, sometimes, transferred to the partners abroad. But the company does not know whether they represent personal data nor if they imply complying with some legal laws.

What personal data can be collected by the mobile applications?

According to the European Directive ePrivacy (directive translated also in the Romanian legislation), any electronic terminal equipment (phones, tablets, laptops, etc.) and any information stored on them are part of the private area of the user and are protected according to the European Convention for the Protection of Human Rights and Fundamental Freedoms.

This information can be considered private no matter whether it regards a natural person that is identified (for instance, by name) or identifiable (one that can be identified directly or indirectly). They may be connected to the owner of the electronic device or to any other natural person (for instance, the contact data of one"s friends, from the phone contact list).

Here are a few examples: location data, geolocation, name of the user, contacts from the phone book, e-mail, pictures and videos, date of birth, identifiers such as Unique Device Identifier (IMEI number, etc.), phone number, the registry of calls, messages or searches on the Internet, information regarding payments made on-line, biometrical data such as facial recognition, etc.

Sometimes it is possible that among the collected data there is some of apartness - the sensitive personal data, such as: the sexual preferences of the users, their racial/ ethnical origin or political affiliation, etc. They require special carefulness (especially if they are collected in order to be used in the behavioral targeted advertising, analytics, etc.).

Some useful pieces of advice

If the developer is the one in charge of the data collected through the application, then he can be considered a personal data operator - meaning the person who establishes the purpose and means of processing the data - and he will have to comply with the specific legal obligations, including the registration at the competent authority.
Establish a clear internal mechanism regarding the processing of personal data, before beginning to work on the development of the application and on writing code lines. This procedure is called Privacy by Design (PBD) and it is a concept which facilitates a result of a higher quality. As an example, you can find here and here a guide book drawn by the authorities in Great Britain and Australia in order to meet the mobile applications developers half way and to promote Privacy by Design. Most of these principles can also be applied to the Romanian developers.
You can carry out an internal impact research in which you can tackle issues such as: (i) what personal data you need and why, (ii) how you collect, use, store and transfer them, (iii) how you obtain the user"s agreement for you to collect his data (including for the case in which you alter the purpose you use them for), (iv) if you reveal them to third parties, (v) possible risks and ways to avoid/ reduce them, etc.
Try to keep the data collection to a minimum level, only for the established and legitimate purposes (for example, collect only the data necessary for the application to run). Studies reveal that users tend to prefer and remain loyal to mobile applications having a transparent and minimal policy regarding the volume of collected data.
At the moment of installing the application, you will have to obtain the agreement of the user not only to download the application on their phone or tablet, but also to process the data collected by the application.
Set a policy regarding the processing of personal data (Privacy Policy) and make it available to the users (for example, through a link) before they download and install the application and before you collect their data. You can use graphics and color in order to make the information more accessible.
Privacy Policy should indicate, among others, the types of collected data, the purpose they will be used for (and by whom), the users" rights, the contact of the application developer. These essential conditions must be met so that we can state that you have offered the necessary information to the users and they have knowingly and freely agreed to it. The free agreement means that you give the users the possibility to accept or deny the processing of their data. Therefore, in order to complete the installation of the application, you should also make available a "Deny/Cancel" (data processing) button, not only the "Yes, I agree" button.
Maintain the security of the collected data - make all the necessary efforts (including technical ones) in order to make sure the data base is not in danger of being hacked and illicitly copied. In case of illicit usage, you can be brought to trial by the users who can claim for damages.
In some situations and depending on the type of application, it is not only the developer who processes these data, but also the distributors of the application, the advertising and analytics providers, the third party libraries, etc. It is helpful to explain to the users the manner in which their data will be used by them and why, etc.

Conclusion

As developers, it is for your convenience to implement proper privacy policies for the mobile applications you create and release on the market. Privacy by Design is a more and more popular concept and it can offer a technical solution to a legal problem. More and more, the applications which take the personal data protection seriously gain the trust of their users, succeeding in making a difference through transparency.

About the authors:

Claudia Jelea is a lawyer specialized in issues involving the online environment, electronic trade and IT&C, brands, copyright and personal data privacy. She is a member of Bucharest Bar and of the Patent Chamber (brands).

LinkedIn & Twitter: claudiajelea | www.jlaw.ro | www.avocatnet.ro/claudiajelea

Catalin Constantinescu is a student in the fourth year in the Faculty of Law, Bucharest University and he is interested in the interference between law and IT.