Austria: Apps and Data Protection

→ Günther Leissler

They are convenient, entertaining, easy to handle, cheap and versatile. Apps – our mobile companions. But using Apps means processing personal data and triggers the data protection law. What does this mean for the common user?

To answer this ques­tion, it is use­ful to remem­ber role allo­ca­tion under data pro­tec­tion law. On the one side is the data con­troller, who wish­es to process oth­er peo­ple’s per­son­al data. On the oth­er side is the data sub­ject, whose data is to be processed and who wants it pro­tect­ed. In a nut­shell, data pro­tec­tion means bal­anc­ing their com­pet­ing inter­ests.

User versus App provider

What does this mean for the use of Apps? The data pro­tec­tion impli­ca­tions on the use of Apps can best be illus­trat­ed with an exam­ple. Con­sid­er­ing a “sim­ple” App, like an App for cal­en­dar man­age­ment, things look easy. The user uses the App to man­age his per­son­al cal­en­dar data; he is the data sub­ject. The App provider process­es the user’s cal­en­dar data; he is the data con­troller. The provider’s pro­cess­ing of the user’s cal­en­dar data is still legit­i­mate as the user uses the App for this pur­pose and, in fact, wants the App provider to process the cal­en­dar data.

But things become more com­plex if the App pro­vides for joint cal­en­dar data man­age­ment with­in a defined user group. If a user, for exam­ple, syn­chro­nis­es all the oth­er group mem­bers’ cal­en­dar data in order to fix a joint appoint­ment, he not only process­es his own cal­en­dar data but also that of the oth­er group mem­bers. He is not the sole data sub­ject any more. Instead, he becomes a data con­troller of the oth­er group mem­bers’ data. Accord­ing­ly, all the pro­vi­sions of the Aus­tri­an Data Pro­tec­tion Act that reg­u­late a data con­troller’s activ­i­ties apply to the user.

The Austrian Data Protection Act

These oblig­a­tions range from the need to reg­is­ter with the Aus­tri­an data pro­tec­tion author­i­ty to the prop­er han­dling of data sub­jects’ requests, from ensur­ing that ade­quate secu­ri­ty mea­sures are in place to adher­ing to the law’s data breach oblig­a­tions, and more. Briefly, the user faces numer­ous reg­u­la­to­ry pro­vi­sions he might not be able to com­ply with, or might not even be aware of. The cal­en­dar man­age­ment exam­ple might look tame but when con­sid­er­ing the diver­si­ty of all the Apps being dai­ly used and the mass­es of users using them, it becomes clear that data pro­tec­tion legal issues will quick­ly arise.

The legal lit­er­a­ture is well aware of this sub­ject and dis­cuss­es var­i­ous approach­es to solv­ing it. One approach is the “house­hold exemp­tion”, which allows unreg­u­lat­ed data pro­cess­ing if it hap­pens with­in the per­son­al and pri­vate sphere of the data con­troller. Anoth­er approach sees the legal solu­tion in gain­ing the users’ con­sent. But many Apps trig­ger data pro­cess­ing that exceeds the pro­cess­ing of data with­in the sole pri­vate and per­son­al sphere of the user. In those cas­es, the “house­hold exemp­tion” will not apply. Also, none of the pop­u­lar App stores cur­rent­ly pro­vide for valid con­sent dec­la­ra­tions. So, this issue is still unre­solved: users still risk being ful­ly reg­u­lat­ed, which means hav­ing to adhere to all the oblig­a­tions imposed by data pro­tec­tion law when pro­cess­ing oth­er peo­ples’ data through an App.

Users are thus well advised to con­sid­er whether they would like to have their data being processed the same way before pro­cess­ing oth­er peo­ples’ data through an App.

The processing of other people's personal data through an App triggers full responsibility under data protection laws.