Members of the Global Privacy Enforcement Network (GPEN) have released the results of its May 2014 privacy sweep. A common theme is the need for greater transparency regarding data collection and use prior to the downloading of a mobile App.

Background

GPEN is a network of data protection authorities drawn from 39 jurisdictions around the world. The May 2014 sweep is the second coordinated review of privacy disclosures conducted by GPEN. Last year’s sweep focused on website privacy policies. In Canada, website privacy policies were criticized for excessive use of boilerplate and over broad statements.

This year’s GPEN sweep focused on mobile App privacy disclosures. As in 2013, data protection authorities in 19 countries participated in the sweep. Among the 26 authorities in those countries who participated were the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of British Columbia (BC OIPC). In total GPEN members reviewed 1,211 Apps (although there may have been reviews of the some Apps in more than one jurisdiction).  The OPC reviewed 151 Apps that were either made-in-Canada or downloaded frequently in Canada. The BC OIPC reviewed 15 Apps.

 Lessons Learned

The sweeps are not in themselves enforcement actions. Furthermore, the results of the sweeps are not, in Canada at least, conclusive identification of compliance issues. Nevertheless, the benchmarking and the lessons learned from the sweeps are quickly becoming a valuable resource for organizations wishing to adopt best practices in privacy disclosures.  Although the naming of individual organizations is controversial, the commentary by the OPC on specific disclosures is one of the most valuable activities of the OPC.

This year’s privacy sweep did not disappoint for helpful advice. In Canada, the OPC has published a blog post that includes examples of disclosures that were found to hit the mark, as well as disclosures that caused various degrees of concern – ranking privacy disclosures as “App-Laudable”, “Dis-Appointing” and “Lapp-luster”.

 Among the lessons learned are:

 A major (and yet relatively easy to resolve) issue is ensuring App privacy disclosures must fit the medium of a small screen.

Generic requests for permissions to access data are not sufficient to obtain meaningful consent. Instead, App privacy disclosures should be specific with respect to what is collected, used and disclosed. This theme builds on the the results of last year’s sweep of website privacy policies and the OPC’s current regulatory theme of transparency.

App developers must explain why permissions are sought. In other words, it is not sufficient to state what information might be accessed but also what personal information will be collected, used and disclosed. The collection, use and disclosure of the personal information must be reasonable in light of the App’s functionality.

Just-in-time disclosures when an App wishes to access location or other specific categories of personal information should supplement pre-download disclosures and lengthy policies wherever possible.

The BC OIPC would prefer to see two layers of disclosure: permissions disclosures before an App is downloaded and a more detailed privacy policy posted to a website

In connection with the release of the results of this year’s mobile Apps sweep, the OPC issued a helpful fact sheet “Ten Tips for Communicating Privacy Practices to Your App’s Users”.

 Regional Differences

The mobile App sweep revealed regional differences in the results. In Canada, the sweep was – overall – a good news story. The OPC reported 28 per cent of Apps reviewed received top marks for overall satisfaction with privacy communications compared to the global average of 15 per cent. Nevertheless 42 percent of Apps failed to provide pre-download disclosures.

The situation was worse elsewhere. Down-under, the story was not as encouraging. The Office of the Australian Information Commissioner found that 70 per cent didn’t provide users with a privacy policy before the App was downloaded. Globally, the average was 59% of Apps failing to provide pre-installation disclosures.

Overstepping

One potential criticism of these sweeps are that they have the potential to overstep the regulatory boundaries of data protection authorities. This is particularly a problem where privacy disclosures are connected with or intertwined with other issues that may be beyond the core expertise of the data protection authority. The danger is that the data protection authority may comment on an issue without having received submissions from the entity caught up in the sweep. For example, the Office of the Privacy Commissioner of Canada raised concerns about a common provision in online terms of use in which the user of the App granted a licence to the App developer with respect to user content. Whether the licence was overbroad cannot be determined without consideration of other aspects of intellectual property law that may be beyond the jurisdiction of the Commissioner and, in any event, would require a detailed understanding of the economic bargain between the user of the App and the developer and the intellectual property rights necessary to allow the App to function.

Looking for More?

Here are links for more information on the results of the GPEN sweep:

Office of the Privacy Commissioner of Canada, “Global privacy sweep raises concerns about mobile apps

Office of the Information and Privacy Commissioner of British Columbia, “B.C. app developers need to do a better job of providing privacy information to users

Office of the Australian Information Commissioner, “Mobile apps must put user privacy first

Data Protection Commissioner of Ireland, “Global privacy sweep raises concerns about mobile apps