In July 2021, Germany’s Federal Cartel Office (Bundeskartellamt – FCO) published its report (PDF, in German) on the mobile apps sector.
In the inquiry underpinning its report, the FCO reviewed the transparency of the biggest mobile app stores, reviewed the privacy notices and settings of 32 different apps, and interviewed around 1,400 consumers about their app usage preferences.
Based on investigations by consumer protection agencies (in German) and other organisations, the FCO also investigated the data protection aspects of mobile app usage, despite data protection-related sanctions being outside the scope of this inquiry. The report points out that there may be serious flaws regarding data protection and other statutory requirements. As a result, the FCO is calling on app publishers and app store providers to do more to ensure mobile apps are legally compliant and user friendly.
Violations of statutory obligations across the value chain
The report highlights shortcomings in almost every aspect of the value chain of mobile apps, particularly a lack of transparency and poor adherence to the privacy-by-design principle.
Privacy policies and terms and conditions of app publishers and app-store providers were the main point of criticism. However, the report also positively highlights efforts by businesses to prevent user tracking.
Lack of transparency
In many of the cases the FCO assessed, it remained unclear to the app user who the actual contractual partner is when apps were downloaded. In some cases, the report even identified discrepancies between the contractual partner, publisher of the app and data controller for the same app.
It also remained unclear for consumers whether they actually pay for ‘free’ apps with personal data (which is then monetised by the provider), while providers were failing to fulfil their corresponding pre-contractual information obligations to the FCO’s satisfaction.
Further, consumers are not informed which criteria (so-called 'ranking parameters') are used to display certain apps when searching in app stores, which could also lead to competitive disadvantages for app providers. This lack of transparency will be addressed by the EU Platform-to-Business Regulation (for more, see our blog post) and the Omnibus Directive, which member states must apply by 28 May 2022.
According to the FCO, privacy notices were in most cases too generic and failed to inform users which personal data is used for what purpose and on which legal basis. In particular, information about the disclosure of personal data to third parties lacked the necessary transparency and, in most cases, it was impossible to determine when and to whom the personal data was disclosed.
Privacy by design and by default
The report points out that, in many cases, apps relied on legitimate interest to process users’ personal data, even when the apps should have obtained prior consent.
Further, certain preinstalled apps were not necessary for the proper operation of the smartphone, which in most cases might even breach the GDPR’s privacy by design and privacy by default principles.
The majority of the consumers interviewed asked for more control over the processing of their personal data. Even though this expectation is already met at operating system level, most apps do not allow any control over the processing of users’ data.
The FCO’s sector inquiry confirms the recent trend we have seen from regulators to push the entire digital sector in a more consumer- and privacy-friendly direction, with transparency and privacy by design at its core.
The FCO hints that the current state of play may not be compatible with the upcoming EU Digital Markets Act, which is intended to regulate gatekeepers such as operating systems developers.
App-store providers and app developers will face more scrutiny from data protection agencies and the FCO regarding the privacy settings and transparency of their products, and should therefore consider:
- reviewing all consumer-facing information such as privacy notices, pre-contractual information, contractual partner information, terms and conditions, and pricing information. This will become even more important under the Digital Content Directive, which members states must implement by 1 January 2022;
- mapping out all third-party data recipients, detailing these arrangements in privacy notices and allowing users to turn off data transfers to those third parties; and
- including privacy by design features to allow consumers more control over the processing of their own data.
With Germany’s Telecommunications and Telemedia Data Protection Act – which will require user consent before accessing data stored on a device – coming into force in December 2021, the FCO report is a timely reminder that privacy by design isn’t something to be taken lightly.