Mobile Apps and Privacy Miniseries (3/5): Privacy by Design

December 9, 2014 Leave a comment
In order to fulfil privacy law requirements, it is more than recommendable to pay special attention to a privacy-compliant design right from the start of the development process. The so called privacy by design approach is accompanied by privacy-friendly default settings (privacy by default); this approach is intended to ensure that the app can be offered without data protection deficiencies. The German authorities’ data protection guidelines for mobile apps focus heavily on such orgamnizational and technical aspects, and have a number of recommendations.

How to avoid data protection deficiencies?

There are fundamental principles of data protection that can be used as a guideline of sorts in order to meet the privacy by design/default approach; among the of German and EU data protection law are principles such as

  • the principle of data avoidance and minimization: keeping the personal data processed to the absolute minimum. One application of this principle cited by the privacy guidelines is to limit granularity of location data as needed. While a navigation app of course needs a user’s exact coordinates, a weather app should not even be designed to pinpoint any precise location, relying instead only on the concerned city.
  • the purpose limitation principle protects data subjects by setting limits to the collection and further processing of their data. This means that data may only be used for the purposes for which it was collected and that were disclosed to the data subject, even if statutory permission exists to use it in other ways as well.
  • the principle of immediacy ensures that personal data has to be collected directly from the person concerned. Whereever possible, an app should therefore ask the user to provide information insetad of obtaining it from thrid party sources (such as app stores/distribution platforms).

Technical aspects of data security

Data security aspects are another part of the privacy by design/default approach. In order to prevent excessive development and repair costs, critical vulnerabilities must be avoided from the outset.

The so called technical and organizational measures are set out in Section 9 (including the annex) of the German Federal Data Protection Act (BDSG). The Düsseldorfer Kreis considers the following aspects particularly relevant for mobile apps:

  • Using secure logon credentials,
  • Avoiding the transmission of unique identifiers (IMEI/UDID/…),
  • Using secure data transmission,
  • Using local data storage vs. cloud storage where possible.

In the next installment: Specific issues – payment, children, tracking.

Print Friendly
Felix Hilgert

Felix Hilgert

Senior Associate at Osborne Clarke
Felix is a lawyer with Osborne Clarke's IT Team in Cologne, where he acts for companies of all sizes, from start-ups to market leaders.

Add a Comment: