{"id":1287,"date":"2025-01-01T15:34:05","date_gmt":"2025-01-01T15:34:05","guid":{"rendered":"https:\/\/aurele-it.fr\/cnils-draft-recommendation-on-mobile-apps\/"},"modified":"2025-01-07T13:20:27","modified_gmt":"2025-01-07T13:20:27","slug":"cnils-recommendation-on-mobile-apps","status":"publish","type":"post","link":"https:\/\/aurele-it.fr\/en\/cnils-recommendation-on-mobile-apps\/","title":{"rendered":"CNIL&#8217;s recommendation on mobile apps"},"content":{"rendered":"<p>The ecosystem of mobile applications (smartphones and tablets) had, until now, remained outside the scope of the recommendations of the French Data Protection Authority (CNIL). However, for mobile application publishers and Software Development Kit (SDK) providers, implementing privacy principles is particularly complex.<\/p>\n<p>Professionals in the sector have therefore welcomed with interest the CNIL\u2019s recommendation regarding mobile apps, which has be published in its final version on September 24, 2024.<\/p>\n<p><strong><em>Aurele IT is shedding light on the challenges and impacts of this recommendation for players in this ecosystem.<\/em><\/strong><\/p>\n<p><strong>Challenges and Impacts of CNIL\u2019s Recommendation<\/strong><\/p>\n<h3><strong>Why has CNIL decided to focus on mobile applications?<\/strong><\/h3>\n<p>Mobile devices are now the preferred means for the French population to connect to the internet. They involve extensive use of mobile apps, which pose significant privacy challenges for their users. For this reason, the CNIL has identified data collection in smartphone applications as a priority topic in its 2022\u20132024 strategic plan.<\/p>\n<h3><strong>What is the scope of the recommendation?<\/strong><\/h3>\n<p>The CNIL, like the European Data Protection Board (EDPB), has the ability to interpret the GDPR in a general and preventive manner. A CNIL recommendation falls under what is known as &#8220;soft law,&#8221; which, in practice, is binding in matters of data protection. Data controllers are required to comply with CNIL and EDPB recommendations, which can be enforced during inspections.<\/p>\n<blockquote><p>The publication of the recommendation signals the start of CNIL inspections starting of in spring 2025, targeting various players in the sector in France.<\/p><\/blockquote>\n<p>As was the case with CNIL\u2019s previous recommendation on cookies and trackers, other European supervisory authorities are expected to follow suit and issue similar recommendations.<\/p>\n<h3><strong>Who is affected by this recommendation?<\/strong><\/h3>\n<p>The recommendation identifies the different types of stakeholders involved and defines their roles and responsibilities. These stakeholders include:<\/p>\n<h4><strong>App Publishers and Developers<\/strong><\/h4>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Developers provide the code for the mobile app.<\/li>\n<li>Publishers release the mobile app, typically through app stores (iOS or Android).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4><strong>SDK Providers<\/strong><\/h4>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>They supply third-party software modules embedded in apps, enabling specific operations. Through these modules, they may process data, such as:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ol>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Providing app features (e.g., QR code scanning);<\/li>\n<li>Tracking users to provide analytics to the app publisher;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Allowing the publisher to profile users and monetize their audience with advertisers.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4><strong>Operating System and App Store Providers<\/strong><\/h4>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>OS providers offer the operating system, such as those developed by mobile device manufacturers (Apple, Samsung, Huawei, Google).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ol>\n<li style=\"list-style-type: none;\">\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>App Stores\u00a0: <\/strong>iOS (Apple\u2019s mobile operating system) and Android (Google\u2019s mobile operating system)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h3><strong>Which regulations apply?<\/strong><\/h3>\n<p>Three regulations apply simultaneously to mobile applications:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>GDPR on personal data<\/strong><br \/>\nThe recommendation specifies how GDPR obligations translate into the context of mobile apps.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<blockquote><p>Emphasis is placed on permission systems, particularly &#8220;technical permissions&#8221; designed by OS providers. These permissions enable users to grant or block access to specific information (such as contact lists, geolocation, microphone, camera, etc.), regardless of the purposes for which this information may be used.<\/p><\/blockquote>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><strong>E-Privacy Directive on read and write operations on a mobile device<\/strong><br \/>\nThe E-Privacy Directive establishes the conditions for lawful storage and access to information on mobile devices. The directive applies to all types of information, not necessarily personal data. The consent required under the Directive is subject to the same validity conditions as those set by the GDPR.Two exceptions to the consent requirement are noted under Article 5.3 of the Directive:<\/p>\n<ul>\n<li>Storage exclusively for the transmission of electronic communications.<\/li>\n<li>Operations strictly necessary to provide an information society service explicitly requested by the user.<\/li>\n<\/ul>\n<\/li>\n<li><strong>The Digital Markets Act (DMA)<\/strong><br \/>\nThe DMA is a European regulation that came into effect on March 6, 2024. It targets major digital platforms, referred to as &#8220;gatekeepers,&#8221; which include Tech companies with significant market influence, such as Google, Apple, Meta, Amazon, and Microsoft.<br \/>\nIts objective is to combat anti-competitive practices by internet giants in the European Digital Market through strict rules on data access, transparency, and interoperability.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>How are actors qualified under GDPR?<\/strong><\/p>\n<p>Actors\u2019 roles must be determined on a case-by-case basis:<\/p>\n<ol>\n<li>An App Publisher may be the data controller if they are involved in the app\u2019s operation. However, they are not responsible for processing carried out by third parties for their own purposes using data collected via the app.<\/li>\n<li>An SDK Provider acts as a processor when processing data on behalf of the publisher but may be a controller when processing data for its own purposes.<\/li>\n<li>An operating system provider is responsible for processing data related to the device.<\/li>\n<\/ol>\n<p><strong>Impacts for Professionals in the Sector<\/strong><\/p>\n<p>The CNIL provides a list of best practices for each type of stakeholder.<\/p>\n<blockquote><p>Some recommendations may translate into new obligations.<\/p><\/blockquote>\n<p><strong>Examples:<\/strong><\/p>\n<p><strong>For Publishers:<\/strong><\/p>\n<ul>\n<li>Ensure compliance during the app&#8217;s design and lifecycle;<\/li>\n<li>Define a purpose for each data processing activity, identify a legal basis, and associate it with a retention period;<\/li>\n<li>Identify read\/write operations on user devices per Article 82 of the French Data Protection Act (LIL), which transposes the E-Privacy Directive. Provide clear instructions to developers about which trackers and device accesses require consent;<\/li>\n<li>When consent is required, ensure it is collected under valid conditions.<\/li>\n<\/ul>\n<p><strong>For Developers:<\/strong><\/p>\n<ul>\n<li>Formalize interactions with the publisher and take on an advisory role;<\/li>\n<li>Select and audit SDK providers.<\/li>\n<\/ul>\n<p><strong>For SDK Providers:<\/strong><\/p>\n<div class=\"flex-1 overflow-hidden @container\/thread\">\n<div class=\"h-full\">\n<div class=\"react-scroll-to-bottom--css-bqreq-79elbk h-full\">\n<div class=\"react-scroll-to-bottom--css-bqreq-1n7m0yu\">\n<div class=\"flex flex-col text-sm md:pb-9\">\n<article class=\"w-full scroll-mb-[var(--thread-trailing-height,150px)] text-token-text-primary focus-visible:outline-2 focus-visible:outline-offset-[-4px]\" dir=\"auto\" data-testid=\"conversation-turn-17\" data-scroll-anchor=\"true\">\n<div class=\"m-auto text-base py-[18px] px-3 md:px-4 w-full md:px-5 lg:px-4 xl:px-5\">\n<div class=\"mx-auto flex flex-1 gap-4 text-base md:gap-5 lg:gap-6 md:max-w-3xl\">\n<div class=\"group\/conversation-turn relative flex w-full min-w-0 flex-col agent-turn\">\n<div class=\"flex-col gap-1 md:gap-3\">\n<div class=\"flex max-w-full flex-col flex-grow\">\n<div class=\"min-h-8 text-message flex w-full flex-col items-end gap-2 whitespace-normal break-words text-start [.text-message+&amp;]:mt-5\" dir=\"auto\" data-message-author-role=\"assistant\" data-message-id=\"5c08c555-af48-4735-8e8a-53af6d9ff4b1\" data-message-model-slug=\"gpt-4o-mini\">\n<div class=\"flex w-full flex-col gap-1 empty:hidden first:pt-[3px]\">\n<div class=\"markdown prose w-full break-words dark:prose-invert light\">\n<h3>Use case: best practices recommended for the publisher regarding the management of geolocation, contacts, microphone, and camera permissions.<\/h3>\n<ul>\n<li><strong>Geolocation:<\/strong> The publisher should prioritize minimal permissions (approximate location); when possible, the publisher should offer an alternative to using this permission, such as allowing the user to manually enter a postal code or address.<\/li>\n<li><strong>Contacts:<\/strong> Access to contacts should be justified, with minimal permissions and explicit consent, especially when sharing contacts with other users. Therefore, if certain access permissions require sharing contact data between multiple users of the app (e.g., discovering contacts registered on a messaging platform), it is essential to obtain consent for reading these contact data on the user\u2019s device and ensure all individuals potentially affected are informed.<\/li>\n<li><strong>Microphone:<\/strong> Access should be occasional and justified, with local alternatives (e.g., manual input by the user).<\/li>\n<li><strong>Camera:<\/strong> Access to necessary permissions should be limited. Consent is required for remote collection of images.<\/li>\n<\/ul>\n<p>Additional recommendations are provided for each category of professionals.<\/p>\n<p><strong><em>Aurele IT has specialized expertise and supports stakeholders in the mobile app environment.<\/em><\/strong><br \/>\n<strong><em>Contact Ma\u00eetre Florence Ivanier for any inquiries: <a rel=\"noopener\">contact@aurele-it.fr<\/a>.<\/em><\/strong><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"mb-2 flex gap-3 empty:hidden -ml-2\">\n<div class=\"items-center justify-start rounded-xl p-1 flex\">\n<div class=\"flex items-center\"><\/div>\n<\/div>\n<\/div>\n<div class=\"pr-2 lg:pr-0\"><\/div>\n<div class=\"mt-3 w-full empty:hidden\">\n<div class=\"text-center\"><\/div>\n<\/div>\n<\/div>\n<div class=\"absolute\">\n<div class=\"flex items-center justify-center\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/article>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"md:pt-0 dark:border-white\/20 md:border-transparent md:dark:border-transparent w-full\">\n<div>\n<div class=\"m-auto text-base px-3 md:px-4 w-full md:px-5 lg:px-4 xl:px-5\">\n<div class=\"mx-auto flex flex-1 gap-4 text-base md:gap-5 lg:gap-6 md:max-w-3xl\">\n<div class=\"flex justify-center\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<ul>\n<li>Document information on data processing resulting from the SDK and provide it to partners in an accessible format, such as a detailed registry;<\/li>\n<li>Design tools to facilitate consent collection.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Issues and impacts of the CNIL &#8211; French Data Protection Authority&#8217;s final recommendation on mobile apps, issued in September 2024.\u00a0<\/p>\n","protected":false},"author":2,"featured_media":1290,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[44,38],"tags":[],"class_list":["post-1287","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-gdpr-en","category-it"],"_links":{"self":[{"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/posts\/1287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/comments?post=1287"}],"version-history":[{"count":17,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/posts\/1287\/revisions"}],"predecessor-version":[{"id":1632,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/posts\/1287\/revisions\/1632"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/media\/1290"}],"wp:attachment":[{"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/media?parent=1287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/categories?post=1287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aurele-it.fr\/en\/wp-json\/wp\/v2\/tags?post=1287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}