26 September, 2013
Jacob Kohnstamm, chairman of the CBP (Dutch Data Protection Authority), was quoted at the International Data Protection and Privacy Commissioners Conference in Warsaw on 24 September saying “Apps must comply with data protection principles. Expect enforcement”.
In addition to the clear words in his speech, Kohnstamm, as chairman of the Data Protection Commissioners Conference, issued a ‘Warsaw declaration on the ‘appification’ of society’. The Warsaw declaration contains quite clear language on how Data Protection and Privacy Commissioners see privacy in regards to apps. Below are some of the highlights of the Declaration.
Regarding the information duties of the controller, the Declaration introduces a -to me- new principle of ‘surprise minimisation’. Surprise minimisation means that apps should have “no hidden features, nor unverifiable background data collection”. Instead, clear and intelligible information on data collection should be available for data subject, both before the actual collection starts, as well as within the app. Also, users should have the option to allow access to specific information like location data on a case-by-case basis.
On the responsibility of the app developer and data controller, the Declaration argues that the app developer needs to ensure a clear decision is made on what information is necessary for the performance of the app and to ensure no additional personal data is collected without informed user consent. This also applies when app developers use third party code or plug ins, such as from ad networks.
Data Protection and Privacy Commissioners state that they will encourage better privacy practice by raising awareness of privacy issues with apps. However, if they find this has insufficient effect, the Commissioners “will be ready to enforce the legislation”.
The words of Kohnstamm and the Declaration are a clear signal that apps and data protection compliance are on the enforcement radar.
If you would like Considerati to explain privacy compliance for apps or to review an app on data protection compliance, contact us.
The Article 29 Working Party (WP29), the European collaboration of data protection authorities, has...
In the summer of 2011, a Dutch company was hacked by Iranian Internet users. This hack, often...