Until now, the ecosystem of applications for mobile terminals (smartphones and tablets) has remained untouched by CNIL recommendations. Yet for mobile application publishers and software development kit (SDK) providers, implementing the principles of personal data protection is particularly complex.
Industry professionals have therefore welcomed with interest the CNIL’s draft recommendation on mobile apps, which has been put out to public consultation until October 8, 2023, and will shortly be published in its final version.
In the meantime, Aurele IT sheds light on the issues and impacts of the draft recommendation for players in this ecosystem.
Issues and impacts of the CNIL draft recommendation
Why has the CNIL decided to take an interest in mobile applications?
Today, mobile devices are the preferred means for the French to connect to the Internet. They involve massive use of mobile apps, which present major challenges for the privacy of their users. This is why the CNIL has identified data collection in smartphone applications as a priority theme in its 2022-2024 strategic plan.
What is the scope of the recommendation?
The CNIL, like the European Data Protection Board, have the ability to interpret GDPR generally and a priori, outside of any litigation. A CNIL recommendation falls under so-called “soft law”, which in fact is binding in terms of data protection: in practice, data controllers are required to comply with CNIL and EDPB recommendations, which will be enforceable in the event of control.
The publication of the recommendation heralds the controls that the CNIL will launch from 2024 onwards at the various players in the sector in France.
And, as was previously the case with the CNIL recommendation on cookies and trackers, other European supervisory authorities should draw inspiration from it to issue similar recommendations.
Who is concerned by this recommendation?
In its recommendation, the CNIL sets out to precisely identify the different types of players involved, and to define theire respective roles and qualifications.
The professionals are the following:
1. Application publishers and developers
the developer provides the code for the mobile application. The publisher publishes the mobile application, usually on application stores (IOS or Android).
2. SDK (software development kit) providers
: they supply a third-party software brick embedded in the application, enabling certain operations to be carried out. Through these software bricks, they are involved in certain data processing operations, for example:
- poffering functionalities through the application (e.g. reading a QR code)
- tracking users in order to provide the application publisher with analytics;
- enable the application publisher to profile its users in order to monetize its audience with advertisers.
3. Operating system and application store providers
- the OS (Operating System) provider makes the OS available. In practice, these are the manufacturers of mobile terminals (Apple, Samsung, Huawei, Google…).
4. Applications Stores
- IOS (Apple mobile operating system)
- Android (Google mobile operating system)
What are the applicable regulations?
Two regulations apply concomitantly to mobile apps:
GDPR on personal data
The eprivacy directive on reading and rewriting operations on a mobile terminal.
The eprivacy Directive sets out the conditions of lawfulness for storing and accessing information on mobile devices. The Directive applies whatever the type of information, not necessarily personal data, and the consent required by the Directive is subject to the same conditions of validity as those laid down by GDPR.
There are 2 exceptions to the requirement for consent under art. 5.3 of the Directive:
– storage for the sole purpose of transmitting an electronic communication
– operations strictly necessary for the provision of an information society service, expressly requested by the user.
Which qualification for stakeholders with regard to GDPR?
The qualification of actors is to be determined on a case-by-case basis:
- The App Publisher may be Controller for data processing if it participates in its operation. However, it is not qualified as Controller for processing carried out by third parties on their own behalf on data resulting from operations performed through the application.
- The SDK supplier is the Publisher’s Processor when it processes data on the latter’s behalf, but may be Controller when it carries out processing on its own behalf.
- The OS Supplier is Controller for terminal data processing.
What are the implications for industry professionals?
A list of best practices to be implemented by each type of player is provided by the CNIL. Some of these recommendations may constitute new obligations.
Here are a few examples:
- ensure privacy by design throughout the application’s lifecycle
- define a purpose for each processing operation, identify a legal basis, and associate a retention period
- identify read/write operations on users’ terminals within the meaning of article 82 of the French Law on Computing and Freedom (LIL) which is transposed from the eprivacy Directive. Provide precise instructions to the Developer to identify which trackers and which device access require collection of consent
- When consent is required, ensure that it is obtained under valid conditions.
- formalize its interaction with the Publisher and assume an advisory role towards the latter;
- select and audit the SDK Provider;
- Document information about data processing resulting from the SDK and provide it to partners in an accessible format, such as a detailed register;
- Design mechanisms to facilitate the collection of consent.
As soon as the final CNIL text is released, Aurele IT will keep you informed of any significant changes to the draft.