New recommendations from Europe's top privacy watchdog could have big ramifications for Google Play, Apple and application developers.
The Article 29 working group, which is made up of data protection authorities from across the European Union, has issued fresh guidelines for mobile phone applications. The overall principle of data minimization -- only collecting the data strictly necessary for the app to operate -- is the cornerstone of the group's recommendations.
However, according to Nick Pickles, director of Big Brother Watch, there is much confusion in the market, and in February, Christopher Graham, the UK's Information Commissioner, said that some app developers had a "cavalier" attitude to personal data protection.
Apps most commonly access names and email addresses. Some store this information and some do not, some ask for permission and some do not. But apps from Facebook, Twitter, Instagram, Foursquare and others also suck other information from users' phones.
According to the Article 29 group, app developers must ask for consent for each type of data accessed including location, contacts, payment data, browsing history and social networks credentials. However, it warned that even consent "does not legitimize excessive or disproportionate data processing." Developers should also define a period of inactivity after which the account will be treated as expired, so that apps that users have forgotten they installed do not continue to slurp data from their phones.
App stores, such as Google Play, must implement consent collection mechanisms in their OSes at the first launch of the app or the first time the app attempts to access one of the categories of data that have significant impact on privacy.
The aim of all this is to give users the means to avoid being tracked by advertisers and any other third party. "The default settings must be such as to avoid any tracking. Third parties must not circumvent any mechanism designed to avoid tracking, as it currently often happens with the 'Do Not Track' mechanisms implemented in browsers," according to the Article 29 document.
The growing concerns over the privacy policies of mobile phone apps prompted the GSMA trade association to publish a set of voluntary guidelines that aims to give users more transparency, choice and control over how apps use their personal information. European mobile phone operators including Orange, Vodafone and Deutsche Telekom have said they will implement these guidelines.
Last month the US Federal Trade Commission set out a similar set of guidelines. However these are not legally binding, whereas many of the Article 29's recommendations are already covered by EU law, specifically the Data Protection Directive and the ePrivacy Directive.