New Technologies

Austria: Apps and Data Protection

They are convenient, entertaining, easy to handle, cheap and versatile. Apps – our mobile companions. But using Apps means processing personal data and triggers the data protection law. What does this mean for the common user?

To answer this question, it is useful to remember role allocation under data protection law. On the one side is the data controller, who wishes to process other people’s personal data. On the other side is the data subject, whose data is to be processed and who wants it protected. In a nutshell, data protection means balancing their competing interests.

User versus App provider

What does this mean for the use of Apps? The data protection implications on the use of Apps can best be illustrated with an example. Considering a “simple” App, like an App for calendar management, things look easy. The user uses the App to manage his personal calendar data; he is the data subject. The App provider processes the user’s calendar data; he is the data controller. The provider’s processing of the user’s calendar data is still legitimate as the user uses the App for this purpose and, in fact, wants the App provider to process the calendar data.

But things become more complex if the App provides for joint calendar data management within a defined user group. If a user, for example, synchronises all the other group members’ calendar data in order to fix a joint appointment, he not only processes his own calendar data but also that of the other group members. He is not the sole data subject any more. Instead, he becomes a data controller of the other group members’ data. Accordingly, all the provisions of the Austrian Data Protection Act that regulate a data controller’s activities apply to the user.

The Austrian Data Protection Act

These obligations range from the need to register with the Austrian data protection authority to the proper handling of data subjects’ requests, from ensuring that adequate security measures are in place to adhering to the law’s data breach obligations, and more. Briefly, the user faces numerous regulatory provisions he might not be able to comply with, or might not even be aware of. The calendar management example might look tame but when considering the diversity of all the Apps being daily used and the masses of users using them, it becomes clear that data protection legal issues will quickly arise.

The legal literature is well aware of this subject and discusses various approaches to solving it. One approach is the “household exemption”, which allows unregulated data processing if it happens within the personal and private sphere of the data controller. Another approach sees the legal solution in gaining the users’ consent. But many Apps trigger data processing that exceeds the processing of data within the sole private and personal sphere of the user. In those cases, the “household exemption” will not apply. Also, none of the popular App stores currently provide for valid consent declarations. So, this issue is still unresolved: users still risk being fully regulated, which means having to adhere to all the obligations imposed by data protection law when processing other peoples’ data through an App.

Users are thus well advised to consider whether they would like to have their data being processed the same way before processing other peoples’ data through an App.

The processing of other people’s personal data through an App triggers full responsibility under data protection laws.