'App is free' does not mean that the user is for sale

Data protection rules apply to mobile applications regardless of whether an app is free or paid for, and consent need to use the data needs to be specific and freely given through some form of affirmative act.

Discerning mobile application users, particularly the customers of Google Play, have been increasingly being warned about malware hidden in popular apps. Most of the time, the redressal that they get is either an alert or an update request.

Android is the most popular mobile operating system and its users are familiar with security alerts. Six Android apps downloaded 90 million times from the Google Play Store were found to have been loaded with the PreAMo malware recently. 

The latest in the list is CamScanner, a hugely popular Android app that takes high quality photographs of documents, has been downloaded more than 100 million times by Android users. It has been found to contain malware that shows intrusive ads and signs users up to paid subscriptions.

Where do the end user stand when her smartphone ends up being bugged by a malicious app that was downloaded from a trusted source such as Google Play Store? The present norms do not offer much relief to the consumer, said Martin Sloan, partner at Brodies Solicitors.

"While a number of laws are intended to protect consumers when downloading smartphone apps, in practice consumers may find that they have limited remedies in relation to app makers that breach those rules," Sloan told SC Media UK.

The laws on digital content have been evolving over the years. Users now have more rights in relation to digital content such as mobile apps. 

"However, these rules are largely aimed at providing consumers with adequate remedies, such as a refund, if the digital content does not work, such as buggy software or a corrupt media file," he said.

In the case of apps, the rules in consumer protection laws that protect consumers from unfair contract terms appear more relevant. Those rules also require that terms and conditions are jargon-free and unambiguous, Sloan explained.

"Users should watch out for any changes to the terms and conditions and privacy notices when downloading updates to apps. These won’t always be obvious – particularly if the user has enabled automatic updates on their device," he said.

Five users of the CamScanner app contacted by SC Media UK said that they never read the terms of acceptance while downloading the app. 

Apart from user apathy on tracking the specifics and holding the app-maker accountable, their geographic location also complicates the process.

"Data protection laws give users rights in relation to unlawful use of their personal data, including the right to complain to the likes of the Information Commissioner’s Office, but these may be difficult to exercise when the appmaker is located outside the EU," noted Sloan.

In the case of CamScanner, the malware was harvesting user information without consent. 

Data protection rules apply here, as they hold to account anyone or anything that collects and processes personal data, said Sloan. Processing needs to be fair and lawful and users need to be provided with information on how their personal data is used. 

Just because an app is free does not mean that it has the right to extract and sell user information. The data protection rules apply to them regardless of whether an app is free or paid for, asserted Sloan.

"While some use of personal data may be necessary in order for users to use the app, that does not mean that it is fair game for that personal data to be used for any purpose. If the appmaker is relying on consent for any processing, then that consent needs to be specific and freely given through some form of affirmative act. It can’t just be implied from the user downloading an app."

Moreover, the appmaker cannot arbitrarily change the terms and conditions once the user downloads the app, Sloan said.

"If an appmaker wishes to change how it uses personal data then is would need to provide the user with an updated privacy notice. Depending on the nature of the processing, it may also need to seek fresh consent from the user."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews