Visitors to Hong Kong travelling on the MTR are often struck by the ubiquity of smartphones and tablet devices. According to the latest figures, Hong Kong now has two and half smartphones for every person. As such, it is critical for Hong Kong businesses to use smartphone apps to keep in touch with their customers.
However, as consumers become more dependent on smartphone apps, surveys show that we are also becoming more concerned about the personal data they collect. In a recent survey, nearly half of respondents said they would not be willing to provide personal data in exchange for a free or discounted app. There is also a lack of awareness about the ways in which smartphone apps collect personal data – 46% of respondents were not aware that an app could track their location, but when told about this feature, 70% of those respondents had objections to it.
Each year, the Hong Kong Privacy Commissioner for Personal Data (the Commissioner) participates in a global “privacy sweep” of smartphone apps conducted by Global Privacy Enforcement Network. In 2014, the Commissioner found that 31% of apps requested permissions exceeding what he would have expected based on the apps’ functionality, and 59% of apps had inadequate pre-installation privacy communications.
Late last year, the Commissioner published the Best Practice Guide for Mobile App Development (the Guide), a set of guidelines on the development of smartphone apps. The Guide applies requirements of the Personal Data (Privacy) Ordinance (the Ordinance) to mobile app development, explains the “privacy by design” approach to app development and provides best practice recommendations.
Personal data commonly collected through smartphone apps includes name, email address, mobile phone number and device IDs. An app may also have access to other data stored on the phone, such as calendars, contacts, SMS messages and web browsing history, which might contain personal data.
The Ordinance applies to any person who controls the collection, holding, processing or use of personal data through a smartphone app from within Hong Kong. It does not matter whether the app users or the servers with which the smartphone app communicates are located in Hong Kong. However, foreign privacy laws may also apply to an app that is used internationally.
The Guide sets out a number of important ways in which the Ordinance applies to smartphone apps:
- An app should only collect personal data that is necessary to perform its purpose, and only use the personal data it collects for that purpose. Where practical, the app should make the provision of personal data optional (and should explain what functionality is only available if personal data is provided).
- An app should make the user aware of the personal data it collects, where that would not be obvious to the ordinary non-technical user.
- The app developer should take all practicable steps to provide the user with a PICS before the app collects any personal data (e.g. during installation). The PICS should state:
- that the app collects personal data;
- whether the user has an obligation to supply the data;
- the proposed use of the data;
- the types of third parties (if any) to whom data will be disclosed; and
- the individual’s rights to seek access under DPP 6.
- It is not sufficient to rely on the “permissions” screen in Android or iOS. These screens show a list of permissions the app requires, but do not specifically explain why each permission is required. It is also important to note the Commissioner’s comments that the PICS for a smartphone app should be “tailored” for the smartphone screen.
- The Ordinance requires that personal data be deleted if no longer required, subject to any law or legitimate purpose which requires retention. When the user uninstalls the app or requests their account be closed, the app should offer the option to delete all related personal data. This includes personal data stored on the device, but also personal data stored on a server.
- An app must take all practicable steps to ensure that personal data is protected against unauthorised or accidental access, processing, erasure or use. What is “practicable” will depend on the kind of data and the harm that could result. This applies while data is stored on the device, and also to communications with a server. Transmission and storage of personal data should be protected by encryption and access control based on “least-privileged rights” and “need to know” principles.
- The app developer must offer users a way to access and correct their personal data – either on a self-service basis through the app, or manually through the developer.
The Guide also outlines the principles of “privacy by design” app development. Privacy by design is a development philosophy which seeks to build privacy features into an app at the development stage, instead of trying to address privacy concerns later on.
Privacy by design involves considering whether the functionality of an app requires the data it collects or permissions it obtains, and asking whether the same functionality could be achieved collecting less or no personal data. For example, could the location feature of the app collect the user’s district rather than exact GPS coordinates? Could the app ask the user for their age instead of their date of birth?
Privacy by design also involves managing user expectations in order to build trust. An app should be open, transparent and specific about what data it collects and what it does with it. This is particularly important if the user may not be aware that the app is collecting personal data or is combining data from multiple sources. Losing a few users by being upfront about the app’s functionality is better than losing many users later.
Finally, privacy by design involves minimising risk, by protecting data using encryption and access controls and only transmitting or uploading personal data off the device when necessary. For example, an app which looks up a result based on the user’s location can be made more secure if it first maps the user’s GPS coordinates to a district on the device, before uploading the district to the server for further processing.