N. van Ham I had heard of Vrijspraak only in passing when, at a monthly Magister drink, someone suggested applying for the position of Vrijspraak treasurer....
Can the players on the smartphone market legally collect your personal data?
By Richard Spoelstra
Nowadays, most of us have a smartphone and with it comes an operating system. We have an application store and most importantly, we have applications. However, the smartphone manufacturer, the operating system, the application store and the applications themselves can collect all sorts of personal data from your phone. This is done through the system of consent, but is consent as it is currently given sufficient? Does it conform with the law? This article will touch upon this very issue. It will start with what exactly is personal data, who are the players on the smartphone market and, before finishing with a summary and conclusion, it will delve into the issues that come with consent.
What exactly is personal data?
When people talk about privacy, they talk about their personal data. What exactly does that mean, personal data? According to article 2(a) of the Data Protection Directive[i], personal data means any information relating to an identified or identifiable natural person.[ii] In opinion 4/2007, the working party 29[iii] elaborated on the concept of personal data. It broke down the definition of personal data in four separate parts, any information, relating to, identified or identifiable and natural person.[iv] To start with the first one, any information, any information literally can mean any information. As an example of how far things can go, the working party used the case of a child’s drawing. The drawing was made in the relation of a court case where the child was asked to draw a picture of her family. The psychiatrist could then explain what the child was feeling. The drawing could be classified as personal data of the child seeing as it could identify certain character traits of the child.[v] For the second part, relating to, the working party went back to a previous opinion it gave on RFID tags. In this opinion, the working party said the following about when personal data is relating to an individual: “Data relates to an individual if it refers to the identity, characteristics or behaviour of an individual or if such information is used to determine or influence the way in which that person is treated or evaluated.”[vi] The third part is about who is identified or identifiable. To keep things short, the person is identified if he is pinpointed in a crowd and a person is identifiable if you are able to identify him in a crowd.[vii] The last part means any living person.[viii] The Working Party gave a very broad definition of personal data. The reason for this is that privacy is becoming less obvious. In a day and age where your name can determine how prosperous you will become, it is certainly important that even the slightest bit of information relating to you should be handled with the utmost care.[ix]
Who are the players on the application market?
The first two players encountered on the smartphone market are the smartphone manufacturer and the operating system. While these two are not obvious in collecting your personal data, they are the most important players. They provide the application developers with the personal data they request when running an application as well as sometimes having their own features which require your personal data[x].[xi] But what do they do with the data? Smartphone manufacturers and operating systems usually use the data for a “good cause”, they use it to make your smartphone use more convenient, to make the device perform better or to simply pass along the data to an application. Then there is the application store. The application store, which processes payment data, makes a user profile based on what kind of applications you download etc. These data are very personal data, advertisement companies would love to get their hands on your user profile so they can tailor their advertisements to your preferences.[xii] One of the most “used” players on the smartphone market is the application developer. Not only do we use this player the most but he is also the one that is the most obvious in collecting your personal data. The application developer makes its own applications. However, the companies who outsource the development of their applications are called applications developers as well. But, why do application developers need your personal data? Some applications need your personal data to provide you with the service that the application offers. Think for example about Google Maps that needs your location data to provide you with the closest route to that thing you love most. This is a good way to use your personal data. However, there are times when an application asks permission to access your personal data while they are not relevant to the application at all. The application developers need to make a profit and that does not happen when most applications are free of charge.[xiii] This is where the last player on the smartphone market comes into play, third parties. You do not encounter these players directly in your day-to-day handling of your smartphone, but they are there. As said before the application developers ask for more data than they actually need from you. The data that they collect is subsequently sold to those third parties that then use the data to make an advertising profile to tailor their advertisements to your “needs”.[xiv]
In the previous two paragraphs it was explained what personal data are and who the players on the smartphone market are. This paragraph will be about perhaps the most important thing in collecting personal data: consent. What exactly is consent and can the players on the smartphone market actually acquire valid consent? Article 2(h) of the Data Protection Directive gives the following definition of consent: “”the data subject’s consent” shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” As it was the case with personal data, the article 29 working party gave its opinion on the meaning of the article. In Opinion 15/2011 the working party wrote the following on consent. The working party isolated a few elements, which will explain how consent is given. The first element, “any; indication of his wishes; signifying”. This is arguably the easiest one, to keep things short; when you download an application or you register your phone, the fact that you pressed “ok” or “I agree” gives the data processor an indication that you agreed.[xv] The second element, “freely given”, is especially interesting in the context of smartphones. Normally pressing an “I Accept” or “I agree” button would mean freely given consent when you are a person over 18 who is not placed under any special supervision. The context of a smartphone it could however be a bit different. The working party used the example of governments and employees to signify a special relation between two parties. The same can be said about smartphone users and the smartphone manufacturer[xvi], operating system[xvii] or application developers[xviii].[xix] This can in some circumstances signify that there is no real freely given consent. In its opinion on apps on smart devices, the working party stated that there should be a cancel button and not merely an “I Accept” button.[xx] In the Google Play Store there is only an “I Accept” button, one has to press the home or back button to refuse the installation process. In the App Store there is not even such an option.[xxi] Then the working party speaks about the “Informed” criteria, another very important topic in the consent requirement. The information criteria are written down in article 10 and 11 of the Data Protection Directive. In short, they give an indication of what exactly the data subject should be made aware of before any data are processed.[xxii] While the information criteria are sufficiently safeguarded when getting a new phone, it is another story when you download a new application. The information provided then is very meagre.[xxiii] The last element of article 2(h) is specific. A data subject needs to give specific consent. Specific consent means that for each area of data processing the data processor needs to tell exactly what it is that he wants to process and why he wants to use the data.[xxiv] In applications this is certainly a problem and this same problem will also arise when installing your new phone. It is not really a feasible option to simply return the phone because you do not agree with the amount personal data it requires from you. Besides abiding to the requirements of article 2(h) consent must also be unambiguous[xxv]. Unambiguous consent means that there is no room for doubt as to whether the data subject really wants his personal data to be processed. The consent requirements are a real problem when handling your smartphone. While there is an indication that you accept that your personal data will be processed, it is highly unlikely that it is truly freely given, it is unlikely that they complied with the information and specific requirements and its even less likely that its unambiguous consent.
Summary and conclusion
This article talked about what exactly personal data are, who the players on the smartphone market are, what according to the working party the meaning of consent is and if you do press that “I accept” buttonyou really consent to your data being processed. The working party stated that anything could be personal data. The paragraph about the players on the smartphone market identified the smartphone manufacturer, the operating system, the application store, the application developer and third parties. The smartphone manufacturer and the operating system where identified as the most important players on the smartphone market as these are the ones who hold and operate the hardware and give the application developer access to your data. The application store was identified as holding a very specific profile of what exactly it is that you are looking for in an application. Then there were the application developers and the third parties who used the data to operate the applications, but foremost to use your personal data as a way to earn money. The last paragraph addressed consent, it identified what exactly is consent and how you give it, but more importantly, it identified that, as of now, there is no such thing as a true indication of ones wishes which signifies his freely given, specific, unambiguous and informed consent. It can therefore be concluded that the players on the smartphone market are living in a grey area where it is not entirely certain if they are legally allowed to collect your data.
[ii] This will as of now also hold true for the proposed data protection regulation.
[iii] The working party 29 is an advisory body that answers questions that arise when interpreting the directive.
[iv] Opinion 4/2007 on the concept of personal data, p. 6.
[v] Opinion 4/2007 on the concept of personal data, p. 8.
[vi] Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications, p. 8.
[vii] Opinion 4/2007 on the concept of personal data, p. 12.
[viii] There are a few additional “people” that count towards natural persons, more information on those you can find in the opinion itself. Opinion 4/2007 on the concept of personal data, p. 21-23.
[ix] S.D. Levitt & S.J. Dubner, Freakonomics : a rogue economist explores the hidden side of everything, New York: HarperLargePrint, 2005. Chapter 6.
[x] Think for example about a find your phone feature but also information they can give you about how much megabytes of internet you have used in what application
[xi] Opinion 2/2014 on apps on smart devices, p. 10.
[xii] Opinion 2/2014 on apps on smart devices, p. 11.
[xiii] Opinion 2/2014 on apps on smart devices, p. 9.
[xv] Opinion 15/2011 on the definition of consent, p. 11.
[xvi] While there are a lot of smartphone manufacturers out there, there really aren’t that many flagship companies who can compete with each other: Think about LG, Apple, Samsung, HTC, Sony and in lesser forms blackberry.
[xvii] For operating systems there are even less options to name a few: IOS, Android, Windows Phone and BBOS.
[xviii] While there are numerous applications for everything, there are some applications that you just cannot get around, think for example about Facebook or WhatsApp.
[xix] Opinion 15/2011 on the definition of consent, p. 12.
[xx] Opinion 2/2014 on apps on smart devices , p. 14.
[xxi] You have to enter your password before the downloading commences that is the only place where you get to think twice about what you are downloading.
[xxii] Opinion 15/2011 on the definition of consent, p. 19.
[xxiii] When you first turn on your new phone, there are plenty of messages where you can read exactly what they require of you.
[xxiv] Opinion 15/2011 on the definition of consent, p. 17.
[xxv] Article 7(a) of the Data Protection Directive.
V. Kuepers On Saturday the 6th of October Brett Kavanaugh has been appointed to the US Supreme Court after an onerous procedure. Just before his official...