On 18 July 2024, the French Data Protection Authority (CNIL) published its long-awaited recommendation on data protection for mobile applications. This publication provides a roadmap for publishers, developers, software development kit (SDK) providers, and other players in the mobile app ecosystem, to ensure greater compliance with the General Data Protection Regulation (GDPR).
The GDPR responsibilities of the various players vary according to their role in the processing of personal data. For example, an application publisher is generally considered to be a controller, while a developer may be either a processor or a controller, depending on the degree of involvement.
The recommendation, drawn up with contributions from 18 different players in the mobile applications ecosystem, covers all the key aspects, including compliance with the principles of privacy by design, the management of personal data processing and compliance with consent requirements.
1. Privacy by Design and Privacy by Default
One of the key points of the recommendation is the integration of the principles of privacy by design and privacy by default. This means that data protection must be at the heart of the development of any application from the earliest design stages. Companies must therefore ensure that every feature of the application complies with these principles and minimises the risks to users’ privacy.
2. Mapping of Personal Data Processing
The publisher, as data controller, must clearly identify and map all personal data processing carried out in the application. This includes the precise definition of the processings, details of the data collected and identification of the third parties involved. Each processing must be justified by a legal basis in accordance with Article 6.1 of the GRPD, such as:
• The user’s consent (Art. 6.1 a),
• Performance of a contract (Art. 6.1 b) if processing is necessary for performance,
• Or legitimate interest (Art. 6.1 f), if there is no disproportionate infringement of the rights and freedoms of the data subject.
Particularly with regard to the use of SDK providers, the publisher must ensure that the processing carried out is strictly necessary for the performance of the contract. Otherwise, the user’s explicit consent is required.
3. Consent Management
User consent is fundamental, especially when it comes to sensitive data such as location or contacts. Developers must therefore integrate tools to collect, store and manage these consents in a transparent and secure way. Users must be able to withdraw their consent as easily as they gave it.
CNIL control points from 2025
From 2025, the CNIL plans to step up its checks on mobile applications. The main audit points will include :
• Compliance with the processing of personal data, in particular respect for users’ consent,
• The security of sensitive data, such as location information and financial data,
• SDK management and transmission of data to third parties,
• Transparency vis-à-vis users, in particular through clear and accessible confidentiality policies.
These audits aim to ensure that companies comply with good data protection practices and reduce the risk of privacy breaches.
Risks in the event of non-compliance
Failure to comply with CNIL recommendations can result in severe penalties:
• Fines: Under Article 83 V RGPD, companies can be fined up to €20 million or 4% of annual worldwide turnover, whichever is greater.
• Damage to reputation: According to Article 58 II b RGPD, the CNIL may make public a penalty imposed on a company, which may seriously affect its reputation and the confidence of users.
• Temporary or permanent ban on use of the application: Pursuant to article 58 II f RGPD, the CNIL may order the limitation or prohibition of data processing, which could lead to the suspension or permanent shutdown of the application.
Conclusion
DThe CNIL’s publication in 2024 marks an important turning point for publishers and developers of mobile applications. They will have to redouble their efforts to ensure that their personal data processing practices comply with the CNIL’s new recommendations. Tighter controls from 2025 will require players in the sector to take proactive measures to protect users’ privacy, at the risk of financial penalties and damage to their reputation in the event of non-compliance.