Members of the Global Privacy Enforcement Network (GPEN) have released the results of its May 2014 privacy sweep. A common theme is the need for greater transparency regarding data collection and use prior to the downloading of a mobile App.
GPEN is a network of data protection authorities drawn from 39 jurisdictions around the world. The May 2014 sweep is the second coordinated review of privacy disclosures conducted by GPEN. Last year’s sweep focused on website privacy policies. In Canada, website privacy policies were criticized for excessive use of boilerplate and over broad statements.
This year’s GPEN sweep focused on mobile App privacy disclosures. As in 2013, data protection authorities in 19 countries participated in the sweep. Among the 26 authorities in those countries who participated were the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner of British Columbia (BC OIPC). In total GPEN members reviewed 1,211 Apps (although there may have been reviews of the some Apps in more than one jurisdiction). The OPC reviewed 151 Apps that were either made-in-Canada or downloaded frequently in Canada. The BC OIPC reviewed 15 Apps.
The sweeps are not in themselves enforcement actions. Furthermore, the results of the sweeps are not, in Canada at least, conclusive identification of compliance issues. Nevertheless, the benchmarking and the lessons learned from the sweeps are quickly becoming a valuable resource for organizations wishing to adopt best practices in privacy disclosures. Although the naming of individual organizations is controversial, the commentary by the OPC on specific disclosures is one of the most valuable activities of the OPC.
This year’s privacy sweep did not disappoint for helpful advice. In Canada, the OPC has published a blog post that includes examples of disclosures that were found to hit the mark, as well as disclosures that caused various degrees of concern – ranking privacy disclosures as “App-Laudable”, “Dis-Appointing” and “Lapp-luster”.
Among the lessons learned are:
A major (and yet relatively easy to resolve) issue is ensuring App privacy disclosures must fit the medium of a small screen.
Generic requests for permissions to access data are not sufficient to obtain meaningful consent. Instead, App privacy disclosures should be specific with respect to what is collected, used and disclosed. This theme builds on the the results of last year’s sweep of website privacy policies and the OPC’s current regulatory theme of transparency.
App developers must explain why permissions are sought. In other words, it is not sufficient to state what information might be accessed but also what personal information will be collected, used and disclosed. The collection, use and disclosure of the personal information must be reasonable in light of the App’s functionality.
Just-in-time disclosures when an App wishes to access location or other specific categories of personal information should supplement pre-download disclosures and lengthy policies wherever possible.
In connection with the release of the results of this year’s mobile Apps sweep, the OPC issued a helpful fact sheet “Ten Tips for Communicating Privacy Practices to Your App’s Users”.
The mobile App sweep revealed regional differences in the results. In Canada, the sweep was – overall – a good news story. The OPC reported 28 per cent of Apps reviewed received top marks for overall satisfaction with privacy communications compared to the global average of 15 per cent. Nevertheless 42 percent of Apps failed to provide pre-download disclosures.
Looking for More?
Here are links for more information on the results of the GPEN sweep:
Office of the Privacy Commissioner of Canada, “Global privacy sweep raises concerns about mobile apps”
Office of the Information and Privacy Commissioner of British Columbia, “B.C. app developers need to do a better job of providing privacy information to users”
Office of the Australian Information Commissioner, “Mobile apps must put user privacy first”
Data Protection Commissioner of Ireland, “Global privacy sweep raises concerns about mobile apps“