Privacy In Mobile Apps in UK

1. Privacy Risks in Mobile Apps

Mobile applications (social media apps, fitness trackers, banking apps, shopping apps, gaming apps) typically involve:

(A) Location Tracking

  • Continuous GPS monitoring
  • Background location access

(B) Device and Behaviour Tracking

  • Advertising IDs
  • App usage patterns
  • Cross-app tracking and profiling

(C) Access to Sensitive Device Features

  • Camera and microphone access
  • Contacts and call logs
  • Photos and media storage

(D) Biometric Data Use

  • Face ID, fingerprint login
  • Emotion or attention tracking (in some apps)

(E) Third-Party SDK Sharing

  • Data shared with advertisers and analytics providers
  • Real-time bidding ecosystems

These raise risks of covert surveillance, excessive profiling, and loss of user control over personal data.

2. Legal Framework in the UK

Mobile app privacy is regulated by:

  • UK GDPR Article 5: fairness, transparency, data minimisation
  • Article 6: lawful basis (usually consent or legitimate interest)
  • Article 9: special category data (biometrics, health data)
  • Article 22: automated decision-making safeguards
  • Data Protection Act 2018
  • PECR: rules on cookies, tracking, and electronic marketing
  • Human Rights Act 1998 (Article 8): right to private life

3. Key Case Law Relevant to Mobile App Privacy

Although UK courts rarely refer specifically to “mobile apps,” several landmark cases define how personal data, tracking, and digital surveillance must be handled.

1. Google LLC v Vidal-Hall (2015 EWCA Civ 311)

Principle:
Misuse of private information is a standalone tort, and compensation for distress is available without financial loss.

Relevance to mobile apps:

  • Mobile apps tracking user behaviour without proper consent may constitute misuse of private information.
  • Psychological harm from hidden tracking (location or browsing behaviour) is legally actionable.
  • Forms the foundation for privacy claims against app developers.

2. Vidal-Hall v Google Inc (CJEU influence background)

Principle:
Data protection breaches can result in damages for non-material harm such as distress or anxiety.

Relevance:

  • Mobile apps that silently collect sensitive behavioural or location data can cause legal harm.
  • Reinforces strict consent requirements for app tracking and analytics tools.

3. Lloyd v Google LLC (2021 UKSC 50)

Principle:
Representative claims require proof of individual harm; mere unlawful data collection is not enough.

Relevance to mobile apps:

  • Large-scale mobile app data breaches (millions of users affected) do not automatically lead to compensation.
  • Each user must show specific damage or distress.
  • Limits mass claims against app developers and platforms.

4. WM Morrison Supermarkets plc v Various Claimants (2020 UKSC 12)

Principle:
Employers are not automatically liable for employee misconduct unless closely connected to duties.

Relevance:

  • App developers and companies may face internal risks where employees misuse app data.
  • Liability depends on whether actions were within authorised roles.
  • Important for apps with backend staff access to user data.

5. S and Marper v United Kingdom (2008 ECHR)

Principle:
Retention of sensitive biometric data without justification violates Article 8 privacy rights.

Relevance to mobile apps:

  • Many apps use biometric authentication (fingerprint, facial recognition).
  • Storage of biometric templates must be strictly limited and justified.
  • Prevents indefinite retention of sensitive identity data.

6. R (Bridges) v South Wales Police (2020 EWCA Civ 1058)

Principle:
Automated facial recognition must be lawful, necessary, and proportionate.

Relevance:

  • Mobile apps using facial recognition (e.g., identity verification, filters, security login) must meet strict legal thresholds.
  • Excessive biometric surveillance via apps is unlawful if not proportionate.

7. Durant v Financial Services Authority (2003 EWCA Civ 1746)

Principle:
Defines “personal data” narrowly; must have biographical significance.

Relevance to mobile apps:

  • Not all app-generated logs qualify as personal data.
  • Helps distinguish between anonymised analytics and identifiable user data.

8. NT1 & NT2 v Google LLC (2018 EWHC 799)

Principle:
Balances privacy rights with legitimate public interest; supports right to erasure.

Relevance:

  • Mobile app users can request deletion of outdated personal data.
  • Supports data minimisation and “right to be forgotten” in app ecosystems.

4. Key Privacy Issues in Mobile Apps (from Case Law Principles)

(A) Consent Must Be Clear and Informed

From Vidal-Hall

  • Hidden tracking or default-enabled permissions are not valid consent.
  • Users must actively agree to data collection.

(B) Behavioural Tracking Can Cause Legal Harm

From Vidal-Hall

  • Location tracking and behavioural profiling without consent can cause distress and legal liability.

(C) Large-Scale Data Breaches Require Proof of Harm

From Lloyd v Google

  • Even if millions of app users are affected, compensation requires individual harm.

(D) Employer or Developer Liability is Conditional

From WM Morrison

  • Internal misuse of app data must be closely connected to authorised duties to create liability.

(E) Biometric Data Use Must Be Strictly Controlled

From Bridges and S and Marper

  • Facial recognition or fingerprint data in apps must be necessary and proportionate.
  • Storage must be minimal and secure.

(F) Not All App Data is Legally Personal Data

From Durant

  • Aggregated usage statistics may not always fall under GDPR protection.

(G) Data Must Be Deletable and Time-Limited

From NT1 & NT2

  • Users must be able to delete personal app data where retention is not justified.

5. Practical Implications for Mobile App Developers in the UK

To comply with UK law, mobile app providers must:

1. Transparent Consent Mechanisms

  • Clear opt-in for tracking, location, and analytics
  • No pre-checked boxes

2. Strict Permission Controls

  • Only request necessary device permissions
  • Explain why access is needed

3. Data Minimisation

  • Collect only essential user data
  • Avoid unnecessary background tracking

4. Strong Security Measures

  • Encrypt stored and transmitted data
  • Secure APIs and third-party SDKs

5. Controls on Third-Party Sharing

  • Limit data sharing with advertisers and analytics firms
  • Ensure compliance with UK GDPR

6. Biometric Data Safeguards

  • Minimise use of facial recognition or fingerprint storage
  • Ensure strict retention limits

7. User Rights Support

  • Enable data access, correction, and deletion
  • Support portability of user data

Conclusion

Privacy in mobile apps in the UK is governed by strict legal standards that reflect the deeply personal nature of mobile device usage. Case law such as Google v Vidal-Hall, Lloyd v Google, and Bridges shows that mobile app data collection—whether through tracking, biometrics, or behavioural profiling—must always be transparent, necessary, and proportionate.

UK law consistently reinforces that mobile apps are not just software tools but powerful data collection systems, and therefore must operate under strong accountability, user consent, and privacy-by-design principles.

RELATED Blog

Cyber Law and Fake News during COVID-19

Using Cyberspace To Vent Out Anger By Travestying ...

Internet Censorship

Reasonable security practices and procedures and s...

Cyber Fraud in Banking industry

Supreme Court Upholds Right to Internet as a Funda...

Supreme Court Issues Landmark Guidelines on Live S...

European Union Introduces Tougher Data Privacy Law...

United States Supreme Court to Decide on Whether A...

Cyber Law at Afghanistan

LEAVE A COMMENT

comments

Load more comments

Copyright © 2024 Law Gratis. Design by Digiinterface