Consent — the ultimate lawful basis for processing personal data by mobile apps? Think again.
GDPR and mobile applications — reasons to stop depending on consent by default as an umbrella lawful ground for processing personal data by mobile applications
Introduction
In terms of the ongoing application of Regulation 2016/679 (“GDPR”) and the proliferation of mobile applications across our mobile devices, the number of mobile apps processing various personal data has become an increasingly pressing topic. For that reason, many privacy professionals across the EU focus on different aspects of the functionality of this piece of software and investigate to what extent our personal data is handled in compliance with GDPR. For sure one of the crucial considerations when it comes to GDPR implementation and personal data processing is the existence of a lawful basis for it. The valid legal basis is the foundation for lawful processing of personal data according to GDPR and therefore a valid criterion for processing is always mandatory. Furthermore, the employment of the right lawful ground(s) has immense role for reaching a maximum degree of GDPR compliance. In the context of mobile applications, this element of GDPR implementation and compliance gets tricky and blurred though.
Consent and mobile applications in theory
According to statements of privacy professionals, mobile applications conduct personal data processing activities primarily based on consent. Since Data Protection Directive, consent is the first listed criterion for making data processing legitimate among the others. [1] In fact, the backbone of consent regime dates back to the Data Protection Directive and since then is apprehended as the most applicable condition for handling personal data under EU data protection regulations. For example, in Opinion 02/2013 on apps on smart devices consent is highlighted as “the principal applicable legal ground”. [2] Although the Opinion 02/2013 on apps on smart devices refers to the Data Protection Directive and not GDPR, all conclusions in this matter remain fully applicable and adequate as consent is reaffirmed as a legal ground for processing personal data under GDPR. Next, according to a study from 2017 by ENISA entitled “Privacy and data protection in mobile applications”, consent again is identified as the most popular legitimate criterion for the processing of personal data.[3] Later on, in the Guidelines on the protection of personal data processed by mobile applications provided by European Union institutions by the European Data Protection Supervisor from 2016 only one processing condition is pointed out and reviewed — consent, again.[4] What is more, in Opinion 13/2011 on Geolocation services on smart mobile devices is clearly stated that “Given the sensitivity of the processing of (patterns of) location data, prior informed consent is also the main applicable ground for making data processing legitimate when it comes to the processing of the locations of a smart mobile device in the context of information society services.”[5] All of the mentioned legal documents represent the position/opinion of official EU bodies regarding the domination of consent as the ultimate lawful ground for processing personal data in terms of mobile applications. In order to see the whole picture, it is of high importance to explore how mobile app developers manage the lawful processing of personal data in reality.
Consent and mobile applications in practice
The examination of the Privacy policy documents of the most downloaded apps on the market opposes to the observation that consent is actually the most common legal basis for processing personal data. For instance, according to Instagram’s Privacy policy they process personal data based on every single legal basis listed in Article 6 of GDPR. In fact, as Facebook owns Instagram both applications share the same Privacy policy.[6] As stated, consent is used “in certain instances” when processing data subject’s data.[7] However, Facebook indeed recognizes and informs that the main legal basis for processing personal data is the contract between Facebook and users. Another famous mobile application these days is the dating app Tinder. Reading through Tinder’s Privacy policy we see that the main lawful ground for processing personal data is the contractual performance.[8] Consent is listed as an option in cases where “from time to time, we may ask for your consent to use your information for certain specific reasons.”.[9] Another hot mobile application these days is the music app Spotify. Spotify’s Privacy policy enlightens upon the legal bases Spotify relies upon to legally permit them to process your personal data.[10] In only 2 out of 6 processing purposes consent applies. In other words, Spotify puts as the dominant criterion for processing user’s personal data the performance of a contract.[11] Just one more example is the messaging app WhatsApp and its Privacy policy. It clearly states that WhatsApp “process data as necessary to perform our contracts with you” meaning that WhatsApp also employs the performance of a contract as the main lawful ground.[12]
Clash between practice and theory
As the cited official documents imply that consent is the core legitimate criterion for handling personal data by mobile applications, in reality, some of the major mobile apps on the market, in fact, count on a variety of bases including the performance of a contract. Additionally, if you google for articles regarding GDPR implementation and mobile application development you will read that the plethora of authors (including privacy professionals and software developers) also suggest mainly consent as a panacea. It is given the impression that a mismatch is observed when it comes to identifying the primary lawful ground for processing personal information by mobile applications and not spotlight only one general lawful ground by default. Studies shows that a vast number of mobile app developers by default bet on consent as a general lawful basis in terms of personal data processing.[13] However, based on the functionality of a mobile application and its features it is hard to pinpoint consent as the one and only lawful basis to commence personal information activities. The global rationale is that such a general approach undermines the main principles of privacy and data protection along with any respective GDPR compliance efforts. Consequently, an individual tailored approach is welcomed and necessary to identify the suitable lawful ground for each processing purpose. Each of the listed in Article 6 of GDPR criteria has certain limitations and field of application so is unreasonable to cover “by default” the full range of purposes “in general” especially with regard to complex software products. The employment by default of consent as a general processing condition might put at risk the core understanding of privacy and data protection regarding GDPR.
Why is that? In the next paragraphs, numerous considerations that outline consent as less favourable as a general lawful ground to depend on in connection with mobile applications will be examined.
Disadvantages of consent regime regarding mobile applications
First, according to GDPR consent must meet a few conditions, namely: freely given, specific, informed and unambiguous indication of wishes.[14] Consent must be freely given which means that a genuine choice for data subject is required along with the ability to revoke or withdraw consent. One reason consent should not be count on is because “where there is a clear imbalance between the data subject and the controller”.[15] Well, in terms of mobile applications such imbalance is quite possible where data controllers are stakeholders such as Instagram, Facebook, Tinder, Google, Spotify, etc. What is more, as mobile applications have the nature of a service they fall in the scope of other portrayed situation by Recital 43 where “if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.” Therefore, mobile app developers should consider to what extent consent is the most suitable condition for long-term processing arrangements as a general rule and relying on it by default without investigating the whole spectrum of processing purposes one by one.
What is more, consent needs to be specific in order to be valid. GDPR prescribes that “Consent should cover all processing activities carried out for the same purpose or purposes.”[16] In other words, a single processing operation requires separate permission and multiple purposes mean consent provided for all of them in a granular fashion. In the context of mobile applications, the requirement for consent to be informed might not be such a trouble as it is easy to explain the main purposes for processing personal data. However, the technical aspect of satisfying the requirement of specific consent may be burdensome due to the possible imbalance between the level of UX and degree of compliance. This means that users should actively opt-in for every single purpose. With regard to mobile applications, a compliant yet feasible solution is a granular form of options to be provided to users to agree on different purposes and different types of processing. Later on, the requirement for “unambiguous” indication imposes an obligation for a proper technical solution to be implemented so the acquire of consent to be clearly indicated by the data subject. Well, this becomes quite challenging dealing with explicit consent and recording it. Next, a crucial consideration is finding the balance between the proper presentation of the consent request form and being not “disruptive to the use of the service for which it is provided.”[17] What is important, consent must be obtained before the processing of personal data is started. At the beginning of processing personal data controllers “shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”[18] Hence, the first thing a mobile app user shall be presented is a Privacy menu or a form with empty boxes by default for each purpose to check in. These not only include consenting purposes for processing but also giving permission for accessing and interfering with device’s functionalities such as contacts, microphone, camera, photos, Wi-Fi, cellular data, etc. With regard to that, ENISA have explained the management of permissions in the context of consent management regarding the legitimacy of data processing operations.[19] What ENISA defines as “permission architecture” is an example of addressing privacy and security in the development process and relevant challenges in terms of obtaining the user’s consent.[20] As ENISA confesses there is “gap between legal requirements and the translation of these requirements into practical solutions that app developers can implement”, striking the balance between the compliance and technical implementation is the main goal.[21] For that reason, where the legal requirements for consent establish disruptive experience and obstacles to the use of the service for which it is provided, a revision for the general applicability of this legal basis by default is prudent.
Next, data subjects shall be able to withdraw their consent at any time as easy as initially obtained. As stated “The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.”[22] For instance, if we revoke the consent to use the camera as well as information to be provided to advertisers it is highly expected the mobile application in question to be no longer working properly. Furthermore, withdraw of consent is part of the topic about intervenability of mobile apps concerning the principles concerning individuals’ rights.[23] With regard to data controllers, intervenability is crucial to “effectively control the data processor and the used IT systems to influence or stop the data processing at any time”[24] and for this reason, the liberal regime of easy consent withdraw could establish a state of unpredictability along the lifecycle of the application.
Another aspect is the requirement data controllers to record and be able to demonstrate at any time proof for the obtained consent. That is quite questionable for controllers dealing with a myriad of data subjects and evolving processing activity.[25] Such discussion is pressing with regard to the tight connection between children and mobile applications these days. Since mobile apps are proliferated across children’ smartphones and tablets and knowing how technically obsessed modern kids are, it is a public secret that millions of children are users of mobile apps. This means that data controllers process personal data of children all the time falling into the territorial scope of GDPR. Where consent is the legal basis to be relied upon for processing personal data and information society services are offered to children, the processing of children personal data is only lawful if the child is older than 16 years and if younger an additional person shall give the consent for processing. We can imagine the millions of children using Facebook, Instagram, Snapchat, and Musical.ly on a daily basis but how is their obtained consent complaint to this condition? Is it realistic to assure that parents have granted their permission for a mobile application to process their children personal data?
Additional controversial aspect is related to the international data transfers of personal data collected by mobile applications. These days information circulates over the Internet between servers around the world thanks to cloud computing technology. This means that personal data of users is not only transmitted across various countries outside EEA but also processed in these countries. As far as there are no adequacy decisions and adequate safeguards in place, controllers (would) depend on the derogations for international data transfers under GDPR. To reformulate, choosing by default consent as the main criterion for processing in general implies that data controllers (would) primarily rely on consent for international data transfers. Under GDPR for international data transfers to third countries, in case of consent employment, an explicit one is mandatory to transfer personal data to the third country lawfully.[26] As the „regular” consent is defined as „statement or clear affirmative action”, it needs to be clarified what extra efforts should be undertaken in order to obtain the explicit consent of data subjects referring to mobile applications in line with the GDPR. With regard to that, a possible solution is users to be presented a special box to tick and/or a designated information form to give their explicit consent their personal data to be processed in a third country. Additionally, users should be able to consent explicitly in an informative, fair and transparent manner. Here comes the question for the withdrawal of users’ consent for international data transfer at any time. How possible and justified is that nowadays in the times of massive trans-border data flows?
For mobile applications that process special categories of personal data, how to obtain the obligatory explicit consent is a challenge.[27] For example, dating apps handling sexual orientation information or health apps dealing with data concerning health require explicit consent for one or more specified purposes given by the data subject. Again, the technical aspect of acquiring explicit consent could be troublesome and disruptive in terms of UX. However, if no explicit consent for one or more specified purposes is provided in a legitimate manner, the processing of sensitive personal data might be unlawful and invalid unless another exception applies.[28]
To reformulate, consent finishes as tricky to manage although promising at first glance lawful ground for processing personal data by mobile applications. For this reason and based on the examination above it looks far from reasonable mobile applications to depend on consent by default as a general legitimate processing criterion .
Final word
In a nutshell, the approach of pinpointing consent as a universal legitimate processing condition could be quite problematic for mobile software developers and privacy professionals in practice. In fact, consent can be defined as a “fragile” legal basis because of the regime “easy obtained-easy revoked”. Figuratively, it establishes deceptive stability resembling quicksand in terms of the lawfulness of the processing. Such legal instability would inevitably confuse and annoy users regarding the interfering user experience technical requirements and design obstructions. Consequently, it is expected to provoke technical and financial uncertainty along the process of software development and monetization of mobile applications. Therefore, it is recommended to acknowledge and analyze the full range of legitimizing criteria for processing personal data before focusing on consent as a panacea by default.
About the Author
Damyan Todorov, CIPP/E, is currently working as an external DPO and privacy consultant towards GDPR implementation and compliance. Completed LLM Law & Technology at Tilburg University in 2017. Find Damyan on LinkedIn or his personal website.
If you appreciate this article, please click the 👏 button and share to help others find & comment it! Feel free to leave a comment below.
Footnotes
[1] GDPR, Article 6
[2] Opinion 02/2013 on apps on smart devices, WP Article 29, p.14, 2013
[3] Privacy and data protection in mobile applications, ENISA, 2017
[4] Guidelines on the protection of personal data processed by mobile applications provided by European Union institutions, EDPS, 2016
[5] Opinion 13/2011 on Geolocation services on smart mobile devices, WP 29, p.13
[6] Facebook Data policy (https://www.facebook.com/about/privacy/legal_bases)
[7] ibid
[8] Tinder Privacy Policy (https://www.gotinder.com/privacy)
[9] ibid
[10] Spotify Privacy policy (https://www.spotify.com/bg/legal/privacy-policy/)
[11] ibid
[12] WhatsApp Legal Info (https://www.whatsapp.com/legal?eea=1)
[13] Global privacy sweep raises concerns about mobile apps (http://be-wiser.eu/admin/resources/many-mobile-apps-want-your-personal-information.pdf), Global Privacy Enforcement Network (GPEN)
[14] GDPR, Recital 32
[15] GDPR, Recital 43
[16] GDPR, Recital 32
[17] ibid
[18] GDPR, Article 7 (1)
[19] Privacy and data protection in mobile applications, ENISA, 2017
[20] Ibid
[21] Ibid, p. 57
[22] GDPR, Article 7 (3)
[23] Privacy and data protection in mobile applications, ENISA, 2017, p.48
[24] Ibid, p.49
[25] GDPR, Article 7
[26] GDPR, Article 49 (1) (a)
[27] GDPR, Article 9 (2) (a)
[28] GDPR, Article 9 (2)
