Mobile Applications Under the Scrutiny of the CNIL: A Balance Between Innovation and Data Protection
The French Data Protection Authority (“CNIL”) published new recommendations in September 2024 aimed at strengthening the protection of personal data in the context of mobile applications. These recommendations, which are the result of a public consultation, clarify the obligations of digital actors and provide answers to the challenges posed by the constant evolution of technology.
1. Mobile Application Sector Actors and Their Responsibilities
The actors in the mobile application sector are numerous and varied, including:
- Application publishers;
- Application developers;
- Software Development Kit (SDK) providers;
- Operating system providers;
- Application store providers.
The CNIL identifies the various types of data processing involved in mobile applications and the related roles and responsibilities of the different actors under the GDPR (data controller, processor, joint controllers).
Operating System (OS) Provider
Existence of a Data Processing?
Possibly yes – where terminal identifiers user accounts or data collected via software (e.g., camera) or stored on the device (contact book) are collected
Responsibility
Data Controller (e.g., OS updates)
Application Store
Existence of a Data Processing?
Possibly not - unless using user account information
Responsibility
Data Controller (e.g., application updates)
Application Publisher
Existence of a Data Processing?
Possibly not - but may be involved in certain processing operations
Responsibility
Option 1. No responsibility if only providing the application code to the publisher
Option 2. Processor on behalf of the publisher (e.g., maintenance)
Option 3. Data Controller (e.g., statistics for service improvement)
SDK Provider
Existence of a Data Processing?
Possibly yes - through functionalities (QR Code reader, for data analysis, as an advertising intermediary)
Responsibility
Option 1. Processor for the publisher (e.g., profiling on behalf of the publisher)
Option 2. Data Controller (e.g., improving profiling services)
2. Application of the Household Exemption
The household exemption is a derogation from the GDPR for personal data processing carried out exclusively for purely personal or household activities. In other words, if an individual processes personal data in a strictly private context, without any commercial or professional purpose, they can benefit from this exemption.
For health applications, the CNIL indicates that the household exemption may apply when data is stored locally, without external connection, for personal purposes only, and provided that there is no functionality enabling the provision of services remotely.
3. Permission and Consent
The CNIL also provides clarifications on the differences between technical permissions and consent, noting that the two concepts are not interchangeable. To legitimately collect personal data, it is necessary to ensure that:
- the individual has granted permission to access the requested part of the terminal; and
- the individual gives their consent to the personal data processing as required by regulations, notably the GDPR or ePrivacy.
As permission should not be confused with consent, the CNIL recommends considering the implementation of a Consent Management Platform in addition to the permissions window.
4. Health Applications: A Particular Challenge
Health applications are subject to particular attention due to the sensitivity of the data processed.
Regarding the processing of health data, the CNIL emphasizes the need for explicit and informed consent from the individuals concerned. The data subjects must remain free to accept or refuse the processing of their health data. The CNIL mentions the need to provide a warning or specific mention about the processing of health data and to obtain separate consent.
For applications involving data processing, especially health data, the following measures should be considered:
- Transparency: Users must be clearly and comprehensively informed about the processing and their rights. The CNIL encourages developers to refer to its cookie recommendations to provide guidance on how to present information to data subjects in a mobile environment.
- Data Security: The CNIL details basic security standards for mobile application developers to consider. It also provides best practice rules for conducting audits by publishers to ensure system security.
For developers processing special categories of data, including health data, the CNIL indicates that it is essential to consider the following requirements:
- Such data can only be processed on the explicit instructions of the publisher. In this case, the developer must organize a separation in the digital tool's architecture between special categories of data and other types of data;
- The developer is required to inform the publisher of any irrelevant or unlawful use of data under Article 28 of the GDPR;
- The transmission of data to third parties must be particularly regulated.
It is also noted that profiling for advertising processes based on categorization using special categories of data is prohibited (Article 26 of Regulation 2022/2065, Digital Services Act or “DSA”).
In conclusion, the CNIL's recommendations mark a new step in the protection of personal data in the context of mobile applications. The forthcoming AI Regulation will complement the applicable regulatory framework. Increased vigilance will therefore be required from actors involved in the development of mobile applications, particularly in the healthcare sector to ensure compliance with an increased number of rules at both the European and local levels.
