À partir du 1er décembre 2014, ce blogue ne sera plus mis à jour.
Cynthia Chassigneux

1 avril 2013

Europe: avis sur les applications mobiles

À l'instar de plusieurs autres autorités (i.e. FTC (voir par ex. les guides de février 2013 ou de décembre 2012), Hong-Kong (billet), Canada (billet)), le Groupe de l'article 29 a publié un avis sur les applications mobiles: Opinion 02/2013 on apps on smart devices dans lequel il est notamment fait mention 
- des risques quant à la protection des données personnelles étant entendu que "apps are able to collect large quantities of data from the device (location data, data stored on the device by the user and data from the different sensors) and process these in order to provide new and innovative services to the end user" (p. 5)
Partant, il est mis de l'avant que 
  • "a high risk to data protection comes from the degree of fragmentation between the many players in the app development landscape" (p. 5) et 
  • "the key data protection risks to end users are the lack of transparency and awareness of the types of processing an app may undertake combined with a lack of meaningful consent from end users before that processing takes place.Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment" (p. 5).
- du cadre légal applicable (i.e. Directive 95/46/CE, Directive 2002/58/CE révisée par 2009/136/CE),

- des devoirs et responsabilités de chacun des intervenants, plus particulièrement des développeurs d'applications mobiles, des systèmes d'exploitations, des vendeurs d'applications et autres tiers,

- des exigences quant à l'encadrement des données (i.e. consentement, information préalable, limitation d'utilisation, sécurité, droits d'accès et de rectification des personnes concernées, conservation des données),

- de la problématique des applications mobiles destinées aux jeunes étant entendu que "children are avid users of apps, either on their own devices or on shared devices (e.g. those of their parents, siblings or in an education setting) and there is clearly a large and diverse market for apps targeted at children. But at the same time children have little or no understanding of and knowledge about the extent and sensitivity of the data to which apps may gain access, or the extent of data sharing with third parties for advertising purposes" (p. 26)

Dans sa conclusion, le Groupe de l'article 29 insiste sur le fait que: 
"Many types of data available on a smart mobile device are personal data. The relevant legal framework is the Data Protection Directive, in combination with the specific consent- requirement contained in Article 5(3) of the ePrivacy directive. These rules apply to any app targeted to app users within the EU, regardless of the location of the app developer or app store.
The fragmented nature of the app ecosystem, the wide range of technical access possibilities to data stored in or generated by mobile devices and the lack of legal awareness amongst developers create a number of serious data protection risks for app users. These risks range from a lack of transparency and lack of awareness amongst app users to poor security measures, invalid consent mechanisms, a trend towards data maximisation and elasticity of data processing purposes. 
There is an overlap of data protection responsibilities between the different parties involved in the development, distribution and technical capabilities of apps. Most conclusions and recommendations are aimed at app developers (in that they have the greatest control over the precise manner in which the processing is undertaken or information presented within the app), but often, in order for them to achieve the highest standards of privacy and data protection, they have to collaborate with other parties in the app ecosystem, such as the OS and device manufacturers, the app stores and third parties, such as analytics providers and advertising networks".  
(Source: Opinion 02/2013, p. 27)
Pour aller plus loin, 

Aucun commentaire:

Enregistrer un commentaire

Remarque : Seul un membre de ce blog est autorisé à enregistrer un commentaire.