In response to this, the Düsseldorfer Kreis, an informal working group of several German data protection agencies, created a set of guidelines for app developers and providers. Our miniseries takes a closer look at the guidance and the impact of privacy law in the mobile sector. App developers and providers would do well to take the guidelines into account from the very beginning of the development process.
Wide concept of personal data
Privacy law restrictions always apply if personal data are collected, processed and/or used. In case of a mobile app, personal data might include device and SIM card identifiers, mobile phone number, name of the phone, location data, photos, videos, audio files, even bank account and other payment data, registration data, etc.
Even IP addresses are deemed personal data by German authorities – even though this opinion is subject to controversial scholarly debate, and not all courts agree.
Even so, it is almost inconceivable that an app does not collect any personal data at all. The message of the Düsseldorfer Kreis’ privacy guidance document is clear: personal data are concerned in each case where the app transfers any data back to the provider. The guidelines, which are essentially a joint, coordinated interpretation of exisiting statutory law, therefore apply to virtually all mobile apps.
Wide territorial scope
The territorial scope of German privacy law is bigger than many foreign app providers might expect. German regulations must be taken into account if app providers operate any offices or subsidiaries in Germany – recent case law from the European Court of Justice suggests that this is even the case if such offices or subsidiaries have nothing to do with the actual processing of user data.
But even if the app provider has no presence at all in Germany, German law is applicable in some cases. If the app provider has no presence in the EU, German privacy law always applies when personal data are collected in Germany. Since the data are collected wherever the customer uses the app, it would be hard not to collect data in Germany. The only case where German privacy law would not apply is where any processing of the data was controlled by an entity outside of Germany but within a different EU member state. In this case, the privacy law of such concerned EU member state would apply.
The entity responsible for complying with privacy law is basically the app provider or operator, even if it did not did not develop the app itself. The responsibility also remains if the app-provider outsources data processing to service providers (commissioned data processing).
However, there are a few cases where other parties would also face responsibility as “responsible entities”:
- the developer is responsible if it has implemented an automatic fault reporting function that transfers personal data directly to the developer.
- the operator of the app store is responsible for any (additional) personal information it may process for registration or management of in-app purchases
Therefore, developers and distributors should also check their compliance with European data protection rules.
In the next installment: Statutory permission and consent requirements.