Keywords: app developers, personal data, end users, Article 29 Data Protection Working Party, European data protection

The Article 29 Data Protection Working Party (the "Working Party") has warned that many app developers are failing to comply with European data protection law by collecting personal data on end users from apps on their mobile devices without obtaining sufficient consent to do so.

The body, which represents all data protection authorities throughout the European Union, has published an opinion on mobile apps which sets out the specific obligations that app developers must comply with when designing and deploying apps that will collect personal data from end users' devices. The opinion also discusses the requirements that app stores, advertising providers, operating system providers and device manufacturers must consider in order to comply with European data protection law.

In its opinion, the Working Party has said that:

  • Before an app developer can collect personal data via an app, it must obtain freely given, fully informed, specific consent to the collection and use of the personal data from an end user before the app is installed on the end user's device;
  • There is an obligation on app developers to inform end users of who is going to be collecting and controlling their personal data, the types of personal data that are going to collected, why it is going to be collected and how it is going to be used, whether any personal data will be disclosed to third parties and how users can withdraw consent and have their data deleted if they wish to do so;
  • An app developer must enable end users to manage their consent to the different ways in which the developer proposes to use the personal data collected;
  • The purposes of any data processing must be well defined, be comprehensible and remain within the limits communicated to the end user;
  • An app developer must, where it is necessary to retain personal data, only retain it for a reasonable period; and
  • Special precautions must be taken with respect to personal data collected from or about children.

The Working Party also expressed its concern about the adequacy of security measures currently being adopted by app developers to protect personal data that they collect via apps. App developers must ensure that they take appropriate security measures to protect any personal data from being lost, stolen or accessed or disclosed without authorisation. App developers must also take care not to stretch or exceed the purposes for which they are collecting and using personal data if they are to avoid breaking European data protection law.

Click here for the full Working Party opinion

Originally published March 20, 2013

Visit us at

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2013. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.