Contact us on

020 7611 4848

email us


Arrange a Callback

Ask a Question

App Developers must Comply with Data Protection Obligations

Monday, 9 September 2013

The surge in apps for mobiles and other devices has been remarkable. It is estimated that between 56 and 82 billion mobile apps will be downloaded worldwide in 2013. People are becoming increasingly reliant on apps for entertainment, communication and information.

Exciting as this industry is, the EU Data Protection Working Group has recently expressed concerns over the ways in which many apps use personal data. Mobile apps may collect a variety of data, whether it is in the form of browsing history, personal information or bank details.

Fortunately for users, there is legislation that regulates how their data can be used; for app developers this entails significant legal obligations that must not be overlooked.

The Existing Regulations

There are stringent rules in place for those that handle data set out in the EU’s Data Protection Directive, which apply to individuals or businesses involved in developing apps. Regardless of where the developer is based, if users from the EU are using the app then these criteria still need to be met.

The requirements stipulate that personal data should:

(1) Only be acquired for limited purposes

(2) Be lawfully processed

(3) Be relevant and not excessive

(4) Be accurate

(5) Be securely stored

(6) Be kept only for as long as is necessary

(7) Satisfy any data subject’s rights

(8) Obey rules regarding transferring data outside the EU

Data Protection Issues for App Developers

The EU Working Group suggests that currently, app developers and small companies are not adequately protecting the information provided by their users. It has expressed serious concerns over the security of stored data. For many apps that collect personal data there also exists ambiguity over the ‘limited purpose’ for which data will be used and there appears to be a trend towards data maximisation.

Furthermore, the Working Group highlights that the consent procedures are insufficient. Many apps do not request the user’s consent to access their personal data while others are not clear enough about exactly what data will be shared and for what purpose.

The EU Working Group has considered much of the data collected by apps to be irrelevant and therefore contravening the requirement that data must only be required for ‘limited purposes’. As a result, an on-going stream of illegitimately obtained data is flowing to third parties. The EU Working Group has also identified occasions where app developers have leaked large amounts of personal information into the public domain.

In light of these concerns, the EU Working Group suggests that app developers need a clear policy to inform users about the data collection involved with their app.


There appears to be a lack of awareness among app developers over the regulations surrounding personal data collection despite the serious potential penalties for mishandling this information.

Breaches of data protection can be the subject of both civil and criminal charges with the possibility of an unlimited fine. There is also the threat of negative PR in light of people’s growing privacy concerns, particularly following Edward Snowden’s revelations and criticisms of Google and Facebook’s handling of personal information.

Developers and businesses creating apps who need advice or information about their legal obligations should contact James Crichton today via e-mail or by telephone on 0207 611 4848.