A study of 20 apps’ terms and conditions by the Norwegian Consumer Council has found that three location-tracking apps may be in breach of European data protection law.
In an official complaint to the Norwegian Data Protection Authority, the consumer advocacy group singled out US-based fitness tracking app Runkeeper as a cause for concern.
The study, conducted by independent researcher SINTEF, found that the app tracks and transmits personal data, such as location, fitness level and fitness habits, to a third-party when not in use.
The Norwegian Consumer Council identify this data collection as unlawful under European law, as at no point does the user consent to their data being used in this manner.
“According to the Data Protection directive, controllers must limit the length of time they store and process personal data."
Furthermore, the council cites the EU directive stating that personal data may only be collected providing it is reasonable and relevant in order to provide the service.
The complaint states that “[Runkeeper] requests unreasonably wide ranging permissions compared with the access actually needed to deliver the service … we fail to see a need for obtaining such location information for functionality purposes, and would ask whether this is in line with the rules of purpose limitation”.
In addition to its unlawful data collection, SINTEF identified that the app stores personal information of its users once the app has been deleted, and even when the user closes their account, a fact that is not made explicit anywhere in the apps’ privacy policy or terms of service.
“According to the Data Protection directive, controllers must limit the length of time they store and process personal data,” the Norwegian Consumer Council stated.
“Data may only be kept for as long as it is relevant. Apps such as Runkeeper should therefore not continue to store personal data long after a user has stopped using the service or when the user has asked for their account to be deleted.”
The consumer council acknowledge that as a US-based company with no EU subsidiaries, the Data Protection Authority may be limited in their capacity to impose sanctions on app-provider FitnessKeeper Inc.
However, they point out that Runkeeper and other apps are widely used in Europe, and are specifically marketed at a European audience, making this breach a necessary concern.