[Closed] Mobile applications: CNIL launches a public consultation on its draft recommendation

25 July 2023

As part of its action plan on mobile applications, the CNIL is publishing and submitting for public consultation a draft recommendation aimed at clarifying the obligations of the various players in this ecosystem, facilitating their compliance and promoting the introduction of best practices.

Why has the CNIL decided to look into mobile applications?

In 2022, according to the Digital Barometer, 87% of French people aged 12 and over will own a smartphone, which is now the preferred device for connecting to the Internet. This trend clearly demonstrates the importance of mobile phones and tablets in French people's daily digital lives.

These massive, daily uses of smartphones and applications present major challenges in terms of protecting users' privacy. The topic of "mobile applications" has therefore been included as one of the priorities in the CNIL's work programme for 2023.

Although a large number of applications offer the same services as their equivalent on websites, the technical environment in which applications operate is significantly different from them. In particular, the use of mobile applications enables the processing of large quantities of personal data that is not, or only to a limited extent, available on fixed terminals (geolocation, access to a contact book, etc.). This processing is carried out by a large number of players involved in developing mobile applications and making them available to the public. The CNIL has therefore decided to provide greater legal certainty in this area and to make recommendations for the protection of privacy. The document the CNIL submits for consultation clarifies the qualifications and responsibilities of these players with regard to the applicable data protection regulations, and sets out the principles and obligations that apply to the processing of data by mobile applications.

How was the draft recommendation drawn up?

In order to draw up its draft recommendation, the CNIL held consultations with a number of players representing the mobile applications ecosystem, enabling it to gain a better understanding of the sector: application publishers, developers, SDK (software development kit) providers, OS (operating system) and/or application store providers, institutional players and a number of representatives of civil society.

In addition, in order to gain a better understanding of the economic issues associated with data collection in the mobile world, the CNIL launched a call for evidence, the results of which it is publishing today.

Who is this draft recommendation aimed at?

Submitted for public consultation until October 8th 2023, this draft recommendation is aimed at 5 main categories of players involved in the mobile application ecosystem, who may have very different roles:

  • Mobile application publishers, who make mobile applications available to users. Sometimes publishers themselves develop the mobile applications they publish, in which case they also take on the role of developer.
  • Mobile application developers, who write the computer code that constitutes the mobile application.
  • Software development kit (SDK) providers, who develop "ready-to-use" functionalities that can be directly integrated by developers into a mobile application (audience measurement, advertising targeting, etc.). More often than not, SDK providers are also responsible for developing the technical infrastructures with which their SDKs, once integrated, will communicate.
  • Operating system providers, who provide the operating systems (e.g. iOS or Android) on which the mobile applications will run. The provision of these operating systems to the end user may involve a number of different entities. These include, for example, the operating system developers themselves, but also mobile and tablet manufacturers, who pre-install the operating systems on their devices.
  • Application store providers: these players provide platforms (themselves presented in the form of applications) for downloading new applications. There are relatively few of them compared with the other players, but they have a major impact on the end-user's experience of their device.

Within each of these categories of players, the content of the recommendation is aimed more specifically at data protection officers and technical and legal teams.

Please note that contributions to this consultation must be written in French.

How is this draft recommendation structured?

The draft recommendation includes a section dedicated to each category of player so that each can identify the recommendations that concern them directly. They can also easily identify the parts that concern their partners, to encourage them to comply.

The document is structured as follows:

  • parts 1 and 2 introduce the recommendation and define its scope;
  • part 3 sets out the conditions under which the regulations on the protection of personal data apply to mobile applications;
  • part 4 analyses the definition of roles and responsibilities of the various players involved in the provision of a mobile application in respect of the General Data Protection Regulation (GDPR);
  • parts 5 to 9 contain practical and targeted recommendations for each of the five categories of stakeholders concerned;
  • a glossary lists the technical terms used to describe them precisely in context.

What are the objectives of the recommendation?

Clarifying and define the role of each player

Firstly, the draft recommendation aims to clarify responsibilities between players of the mobile ecosystem and their respective obligations, in response to a strong demand from the consultation. In particular, it provides tools for clarifying and defining the relationships that may bind these entities - especially publishers, developers and SDK providers. The main aim of the draft recommendation is to enable each party to identify, for each processing of personal data, whether it is a controller, joint controller or processor in respect of GDPR, or whether it does not fall into any of these categories.

Ensuring proper information and consent collection for users

In a number of cases, the collection and use of users' personal data requires users' consent. In particular, a number of identifiers proposed by the mobile environment to enable user profiling cannot be used without prior consent. The draft recommendation aims to clarify and improve the management of user consent, both to encourage transparency and to ensure the legal compliance of the professionals concerned.

Permission systems for access to certain sensitive resources (geolocation, contact books, cameras, notepads, media documents, etc.) make it possible to gather consent in certain cases. However, permissions must be designed and used in such a way as to protect people's rights, in particular by providing them with sufficiently clear information (are they necessary for the application to function? For ancillary functions? To finance the application without payment from the user, for example via targeted advertising?).

The CNIL also recommends that there should be a link between requests for permissions made by applications to enable certain functions and collection of a valid consent.

Promoting best practices for the benefit of users

Given the important role of OS providers and application stores providers in the ecosystem, the draft recommendation highlights the impact they can have in improving and facilitating respect for users' privacy. The draft recommendation encourages OS providers and application stores providers to implement a set of best practices to contribute to an environment that is more respectful of the protection of personal data (improving the quality and reliability of the information presented to users, giving them greater control over the processing carried out by applications, etc.).

Lastly, the draft recommendation aims to encourage the implementation of architectures in which mobile applications are simply software that operate offline, without collecting or processing personal data. Applications that fall within this framework are by nature more protective of their users' privacy, and are sometimes no longer subject to the GDPR.

What is the timeline for the consultation and who can contribute?

This consultation will end on 8 October 2023 EOD.

After the consultation ends, the CNIL will examine and adopt a final version of the recommendation.

Any public or private stakeholder concerned may take part in the consultation. The CNIL particularly wishes to mobilise the players in the mobile application ecosystem targeted by the draft recommendation (application publishers and developers, SDK providers, operating systems providers and application store providers).

The CNIL encourages stakeholders from the same organisation or sector to combine their comments in a single contribution if possible, in particular by contacting their representatives, network heads, federations, associations, etc.

The public consultation is closed.