Mobile Applications: What The CNIL Has In Store For Developers

The CNIL has distributed its draft suggestion connecting with versatile applications. Here are a few things that worry designers. Local, mixture, or moderate web? The CNIL remembers these choices for its draft suggestion connecting with versatile applications. The text is dependent upon the conference until October 8, 2023. Its principal objective is to permit partners in this biological system to decide their legitimate capabilities inside the importance of the GDPR.

Also, the commitments that outcome from it. The CNIL has characterized five sorts of entertainers: distributors, engineers, SDK providers, operating system providers, and application store providers. It characterizes the distributor as follows:

the lawful substance (or sole ownership of a characteristic individual) that makes the application accessible to clients

With respect to the engineer:

the legal substance or individual organization which completes the specialized activities of fostering the application for the benefit and the directions of the distributor
The two profiles can converge into a solitary substance.

Publishers Are Responsible For Processing When…

A publisher may be responsible for the processing carried out when using the services offered through the application. We are talking about processing data from account management and data necessary for the use of said services. The publisher may also be responsible for processing resulting from reading and writing operations that it carries out on its behalf. Example with reading mobile identifiers:

The unique advertising identifier for third-party tracking
The user’s account identifier, read by an application store provider to personalize suggestions (it then acts as publisher)
The same identifier, read by the OS provider to improve functionalities (it then acts as a system app editor)

Access to terminal sensors falls into this same category as long as the data is transmitted through a network. The same goes for accessing data for features such as saving files, loading a profile photo, or discovering contacts. The publisher may also be responsible – possibly jointly – for reading identifiers by a third-party SDK. Among other things, if it is for the purposes of profiling users on its behalf or improving its service. The same thing is in the case where the SRK supplier carries out the operations on behalf of the publisher.

Developers Are Responsible (Or Subcontractors) When…

A developer has no liability under the GDPR if he only provides the publisher with the application code. And then he no longer has any role in its functioning.

He can be a subcontractor if he acts on behalf of a publisher responsible for processing. For example, by implementing the data processing and storage infrastructure. Or by performing operations on server-side data for maintenance or outsourcing purposes.

The developer may be responsible if he processes data on his behalf for purposes he defines. We are told:

Improvement of the security of the developer’s other apps
Production of statistics for the purpose of improving its services
Cross-referencing of data from different apps to offer new services

A “Domestic Exception.”

The CNIL recalls the existence of a form of exemption listed in Article 2.2.c and Recital 18 of the GDPR. The regulation does not apply to processing carried out by a natural person during strictly “personal” or “domestic” activities (family or friendly context). In this scenario, the publishers, as third parties providing the processing resources, are not responsible if they respect two cumulative criteria: Processing is carried out on the initiative, at the discretion, and for the sole account of the person.

Processing is carried out under the control of the person, without the possible intervention of third parties on the data. The CNIL has established that biometric authentication with local and encrypted storage meets these criteria. And said the same about health apps that record and store data locally. The same reasoning could apply, she says, to P2P data sharing.

Or applications functioning as simple software made available to the user. This would be the case of a keyboard with local “learning” without federation. Generally speaking, an application that operates without intervention from its supplier or transmission of data to it is likely to fall under this exemption, summarizes the commission.

Recommendations To Publishers

For each treatment, we will favor a configuration meeting the criteria of this domestic exemption and advise the CNIL to publishers. We will, therefore, use local calculations rather than APIs. Or to local data-sharing tools between applications under the control of the user. As with legal qualifications, many recommendations are not specific to the case of mobile applications. They concern the conservation of data, the keeping of a register of processing, the management of consents, etc.

The principle of minimization is also discussed, with an example: do not store a complete date of birth if the application only needs the year. “Mapping your partners” is another challenge. Among them is the developer. Firstly, we will identify the processing operations that it will implement – including on its behalf – and we will contractually formalize the resulting obligations. We will also formalize the technical measures that we expect from them in terms of data security (permissions are included)—at the same time, ensuring that the contract provides for updating the app in the event of a vulnerability.

Recommendations For Developers

The CNIL recalls, by referring to the EDPS guidelines, that the fact of a developer making technical choices does not necessarily make him responsible for the processing. It provides a certain number of “cross-referenced” recommendations with those addressed to publishers, for example, on record keeping and validation of the use of subsequent subcontractors.

The relationship with the publisher will also lead to the implementation of project management processes. For example, we will involve the publisher in the event of a decision (technical choice, interface design) impacting the privacy of users. We will also not neglect the effects of external developments, such as a new version of SDK or the modification of the permissions proposed by the OS. In the latter case, the CNIL suggests that the developer propose an update to the publisher as part of the subcontractor’s “duty to advise.” This notion must include initiatives such as:

Help ensure proper respect for user rights (provision of the privacy policy within the app or even a simplified GDPR info screen on the first launch; provide a dedicated page for exercising user rights users…)
Participate in compliance with the use of trackers and collection of consent (the CNIL points here to its “Cookies and other trackers” recommendations )
Propose developments respecting the principles of personal data protection (limit the data displayed in notifications, encrypt the content of backups, and give the user control of the keys, etc.)

From “Minimum Measures” To “Security Model”

TLS, storage of cryptographic secrets by packaging, deactivation of unwanted OS-level backups, and adequate authentication are all “minimum security measures” that the CNIL lists for developers’ attention. She also recommends that they adopt an adequate security model. “Certificate pinning or code obfuscation measures do not constitute relevant security measures,” she tells them while calling for the model not to be based on the integrity of the terminal.

The developer also has responsibilities when it comes to selecting SDKs. Among other things, ensure that they make it possible to block processing, access, or the implementation of permissions until valid consent is obtained. But also audit it, remembering that the SDK publisher, as a subcontractor or subcontractor, must facilitate the process.