The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps. On 21 April 2016, the Office of the Privacy Commissioner for Personal Data (the “PCPD”) held the “Mobile App Development Forum on Privacy and Security” (“Forum”) for the mobile app industry which discussed key issues for mobile app developers, businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks.

Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider.

Lessons to learn from mobile apps in the market

The Privacy Commissioner highlighted the results of a recent survey on popular mobile apps developed by Hong Kong entities which revealed a lack of transparency of the personal data handling in relation to the apps. The survey results revealed that most of these local apps did not explain clearly what data they would access and the purposes for such access, and that only around half of these mobile apps provided a privacy policy.

A key risk discussed at the Forum was that the drafter of the privacy policies may not have a complete understanding of what data is in fact collected, stored, used and/or shared by the app, for example in the case of using third party codes in the app development. Businesses using the one privacy policy for all of its mobile apps which differ greatly in the way users’ data are handled also run the risk of having imprecise privacy policies for individual apps.

Security remains a key concern in relation to personal data collected and handled by mobile apps. It was revealed at the Forum that alarmingly, some extremely popular mobile apps failed to apply adequate security to safeguard users’ personal data.

Enforcement risks for mobile apps

The Privacy Commissioner referred to enforcement actions that were taken on mobile apps recently largely due to excessive data collection and inadequate security of personal data.

In recent years, the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators. As a result, the relevant companies have taken corrective actions and in some instances, the Privacy Commissioner’s enforcement action attracted much media attention and some of these mobile apps are no longer available in the market.

It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming year.

Privacy by Design

The Chief Personal Data Officer of the PCPD, Dr Henry Chang, highlighted the ‘Privacy by Design’ approach that business should adopt, which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app. Set out below are key factors that should be considered:

  • Data MinimisationThe collection of personal data should be reduced to the absolute minimum, especially where sensitive personal data is involved. An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset.
  • Surprise MinimisationBusinesses should ensure there is transparency to users in terms of what data will be collected or accessed, and provide users with a choice to opt-out from such access or use where possible. It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use.
  • Risk Minimisation Businesses must ensure adequate protection of data being transmitted and/or stored, for example, through encryption and access control.
  • Trust and Respect To earn the trust and respect of users, it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects, even if they do not amount to personal data. This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data.

In particular, businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users, rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner. Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law, but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent, to gain the trust and respect of users.