The ecosystem of mobile applications (smartphones and tablets) had, until now, remained outside the scope of the recommendations of the French Data Protection Authority (CNIL). However, for mobile application publishers and Software Development Kit (SDK) providers, implementing privacy principles is particularly complex.
Professionals in the sector have therefore welcomed with interest the CNIL’s recommendation regarding mobile apps, which has be published in its final version on September 24, 2024.
Aurele IT is shedding light on the challenges and impacts of this recommendation for players in this ecosystem.
Challenges and Impacts of CNIL’s Recommendation
Why has CNIL decided to focus on mobile applications?
Mobile devices are now the preferred means for the French population to connect to the internet. They involve extensive use of mobile apps, which pose significant privacy challenges for their users. For this reason, the CNIL has identified data collection in smartphone applications as a priority topic in its 2022–2024 strategic plan.
What is the scope of the recommendation?
The CNIL, like the European Data Protection Board (EDPB), has the ability to interpret the GDPR in a general and preventive manner. A CNIL recommendation falls under what is known as “soft law,” which, in practice, is binding in matters of data protection. Data controllers are required to comply with CNIL and EDPB recommendations, which can be enforced during inspections.
The publication of the recommendation signals the start of CNIL inspections starting of in spring 2025, targeting various players in the sector in France.
As was the case with CNIL’s previous recommendation on cookies and trackers, other European supervisory authorities are expected to follow suit and issue similar recommendations.
Who is affected by this recommendation?
The recommendation identifies the different types of stakeholders involved and defines their roles and responsibilities. These stakeholders include:
App Publishers and Developers
-
- Developers provide the code for the mobile app.
- Publishers release the mobile app, typically through app stores (iOS or Android).
SDK Providers
-
- They supply third-party software modules embedded in apps, enabling specific operations. Through these modules, they may process data, such as:
-
-
- Providing app features (e.g., QR code scanning);
- Tracking users to provide analytics to the app publisher;
-
-
-
- Allowing the publisher to profile users and monetize their audience with advertisers.
-
Operating System and App Store Providers
-
- OS providers offer the operating system, such as those developed by mobile device manufacturers (Apple, Samsung, Huawei, Google).
-
-
- App Stores : iOS (Apple’s mobile operating system) and Android (Google’s mobile operating system)
-
Which regulations apply?
Three regulations apply simultaneously to mobile applications:
-
- GDPR on personal data
The recommendation specifies how GDPR obligations translate into the context of mobile apps.
- GDPR on personal data
Emphasis is placed on permission systems, particularly “technical permissions” designed by OS providers. These permissions enable users to grant or block access to specific information (such as contact lists, geolocation, microphone, camera, etc.), regardless of the purposes for which this information may be used.
-
- E-Privacy Directive on read and write operations on a mobile device
The E-Privacy Directive establishes the conditions for lawful storage and access to information on mobile devices. The directive applies to all types of information, not necessarily personal data. The consent required under the Directive is subject to the same validity conditions as those set by the GDPR.Two exceptions to the consent requirement are noted under Article 5.3 of the Directive:- Storage exclusively for the transmission of electronic communications.
- Operations strictly necessary to provide an information society service explicitly requested by the user.
- The Digital Markets Act (DMA)
The DMA is a European regulation that came into effect on March 6, 2024. It targets major digital platforms, referred to as “gatekeepers,” which include Tech companies with significant market influence, such as Google, Apple, Meta, Amazon, and Microsoft.
Its objective is to combat anti-competitive practices by internet giants in the European Digital Market through strict rules on data access, transparency, and interoperability.
- E-Privacy Directive on read and write operations on a mobile device
How are actors qualified under GDPR?
Actors’ roles must be determined on a case-by-case basis:
- An App Publisher may be the data controller if they are involved in the app’s operation. However, they are not responsible for processing carried out by third parties for their own purposes using data collected via the app.
- An SDK Provider acts as a processor when processing data on behalf of the publisher but may be a controller when processing data for its own purposes.
- An operating system provider is responsible for processing data related to the device.
Impacts for Professionals in the Sector
The CNIL provides a list of best practices for each type of stakeholder.
Some recommendations may translate into new obligations.
Examples:
For Publishers:
- Ensure compliance during the app’s design and lifecycle;
- Define a purpose for each data processing activity, identify a legal basis, and associate it with a retention period;
- Identify read/write operations on user devices per Article 82 of the French Data Protection Act (LIL), which transposes the E-Privacy Directive. Provide clear instructions to developers about which trackers and device accesses require consent;
- When consent is required, ensure it is collected under valid conditions.
For Developers:
- Formalize interactions with the publisher and take on an advisory role;
- Select and audit SDK providers.
For SDK Providers:
- Document information on data processing resulting from the SDK and provide it to partners in an accessible format, such as a detailed registry;
- Design tools to facilitate consent collection.