On May 6, the Office of the Privacy Commissioner of Canada (the “Commissioner”) announced mobile apps as the Global Privacy Enforcement Network’s (“GPEN’s”) focus area during the upcoming International Privacy Sweep (the “Sweep”). The Sweep will be held from May 12 to 18, 2014, involving 27 privacy enforcement authorities from around the world. The news release describes that this year’s Sweep will aim at “shedding light on the collection and use of personal information on mobile apps.”
This year, 27 authorities will participate in the Sweep, compared to 19 last year. Sweep participants will review “some of the most popular apps or apps that are of particular interest” and examine “the types of permissions an app is seeking, whether those permissions exceed what would be expected based on the app’s functionality, and most importantly from a transparency perspective, how the app explains to consumers why it wants the personal information and what it will do with it” according to the news release issued by the Commissioner.
The news release highlights some authorities’ plan to focus on health-related apps or apps developed by public sector organizations. In addition, the Office of the Australian Information Commissioner (“OAIC”) separately announced on May 6, 2014 that the OAIC would “examine 50 of Australia’s most popular apps” when it participates in the Sweep.
The result of the Sweep will likely be informative to organizations involved with mobile apps as concerns identified during the Sweep will result in “follow-up work such as outreach to organizations and/or enforcement actions.” Note that the Commissioner describes that it followed up with a number of organizations following the last year’s Sweep and, subsequently, many organizations agreed to make significant changes to their privacy policies. The results of this year’s Sweep will be compiled and expected to be made public by the fall 2014.
GPEN was formed based on the OECD’s Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy adopted in June 2007. Currently various privacy enforcement authorities are members of GPEN, including the U.S. Federal Trade Commission, European Data Protection Supervisor, Commission Nationale de l’Informatique et des Libertés (“CNIL”), and the U.K. Information Commissioner’s Office ("ICO").