- The Hong Kong Privacy Commissioner has taken a keen interest in promoting and ensuring the privacy compliance and security of mobile apps. On 21 April 2016, the Office of the Privacy Commissioner for Personal Data (the PCPD) held the `Mobile App Development Forum on Privacy and Security' (Forum) for the mobile app industry which discussed key issues for mobile app developers, businesses and stakeholders to consider when developing and operating mobile apps in terms of ensuring compliance with the provisions of the Personal Data (Privacy) Ordinance and safeguarding users from cybersecurity risks.
Businesses operating in the mobile app industry and related stakeholders are advised to take note of the below key points raised at the Forum and related issues that they should consider.
Lessons to learn from mobile apps in the market
Security remains a key concern in relation to personal data collected and handled by mobile apps. It was revealed at the Forum that alarmingly, some extremely popular mobile apps failed to apply adequate security to safeguard users' personal data.
Enforcement risks for mobile apps
At the Forum, the Privacy Commissioner referred to enforcement actions that were taken against mobile apps recently, largely due to excessive data collection and inadequate security of personal data.
In recent years, the Privacy Commissioner has served enforcement notices on operators of mobile apps as well as related parties to the app operators. As a result, the relevant companies have taken corrective actions and in some instances, the Privacy Commissioner's enforcement action attracted much media attention and some of these mobile apps are no longer available in the market.
However, there is a limit to the Privacy Commissioner's enforcement powers, as demonstrated by a high profile incident in November 2016 regarding call-blocking apps whose activities were suspected by the PCPD to contravene Hong Kong's data privacy law. As the apps' operators were located outside Hong Kong, the Privacy Commissioner could only refer the matters to the relevant overseas data protection authorities for follow up action.
It is most likely that the privacy compliance of mobile apps will continue to be under the close watch of the Privacy Commissioner in the coming months.
Privacy by Design
The Chief Personal Data Officer of the PCPD, Dr Henry Chang, highlighted the `Privacy by Design' approach that business should adopt, which brings privacy to the foreground and embeds privacy from the outset into the design specifications and throughout the entire development life cycle of a mobile app. Set out below are key factors that should be considered:
- Data minimisation The collection of personal data should be reduced to the absolute minimum, especially where sensitive personal data is involved. An assessment of what data the business requires from users in terms of access and collection should be undertaken at the outset.
- Surprise minimisation Businesses should ensure there is transparency to users in terms of what data will be collected or accessed, and provide users with a choice to opt-out from such access or use where possible. It is important for businesses to manage the expectations of users and eliminate or minimise any possible adverse effects of data collection and use.
- Risk minimisation Businesses must ensure adequate protection of data being transmitted and/or stored, for example, through encryption and access control.
- Trust and respect To earn the trust and respect of users, it is recommended that businesses go beyond minimum compliance with the law and inform users of what data the mobile app accesses or collects, even if they do not amount to personal data. This is key as mobile devices contain a vast amount of personal data and other data that may be considered private and users would be concerned about whether the mobile app accesses or collects any of this data.
In particular, businesses should treat personal data privacy as a competitive advantage that wins market reputation and the trust of users, rather than a compliance hurdle to avoid investigation or enforcement action by the Privacy Commissioner. Businesses should ensure the data collection and handling practices in respect of their mobile apps are not only compliant with the law, but that the privacy policies and privacy notifications and consents are sufficiently clear and transparent, to gain the trust and respect of users.