Mobile Apps and Privacy Miniseries (2/5): Privacy Policy and Consent

November 28, 2014 Leave a comment
In part 2 of our miniseries on German and EU privacy law and German authorities’ guidelines for app developers and providers, we look at a core general principle of data protection law: The collection, processing and use of personal data are prohibited except to the extent covered by specific permission. This can be a statutory permission or the concerned data subject’s valid, informed consent. But there are some hoops to jump through…

What a privacy policy is and isn’t

It is a widespread misconception that the use of a privacy policy in some way confers permission to do whatever is disclosed in it. But under German and EU law, the purpose of a privacy policy is not to structure or create legal relationships – it is there to inform the user. A privacy policy as such is nothing more than a (necessary) transparency rule/obligation; it does not constitute, form or represent consent or legal permission.

App-specific document required

In their app and privacy guidelines, the German data protection authorities stress the requirement that a privacy policy must be comprehensive and app-specific. It must inform the user about all the data collected, and exactly what will happen to it and whom it might be shared with. The authorities emphasize the fact that mobile devices and apps often collect more and different data than desktop computers (location data, access to address books, camera, microphone…). Therefore, merely copying an existing website privacy policy will not be sufficient in most cases

The app privacy policy should ideally already be linked to on the product page in the respective app store, so that the user can take note before downloading the app. Once the app is installed, the privacy policy must be easily accessible from inside the app at any time – and if the app even collects data in offline mode, then a link to a privacy policy on the provider’s server is not sufficient. The same applies to the responsible entity’s contact information.

To consent or not to consent?

Where no statutory permission is granted to process certain user data, consent is required. Such consent will only be effective if the data subject is informed (prior informed consent). That implies that users must be informed in an easily comprehensible way about the nature, scope and purpose of the collection, processing and use of their personal data. Under German law, such consent must be separately declared, so the according language cannot be buried in the fine print of any terms of service.

In the next installment: Privacy by Design.

Print Friendly
Felix Hilgert

Felix Hilgert

Senior Associate at Osborne Clarke
Felix is a lawyer with Osborne Clarke's IT Team in Cologne, where he acts for companies of all sizes, from start-ups to market leaders.

Add a Comment: