The Big Brother Awards were recently handed out in Brussels to privacy violators. This year, one of the two awards was presented to privacy-intrusive apps. The Flemish Bar Association supported the nomination of such apps due to their generalised data collection practices and often unclear privacy policies.
The 2014 and 2015 sweeps performed by the Global Privacy Enforcement Network ("GPEN"), an informal network of 57 privacy enforcement authorities in 43 jurisdictions worldwide, revealed that many apps indeed raise substantial privacy concerns.
The main concerns are the following:
- Absence of or insufficient information on data collection practices.
- Disconnect between the permission requested (eg permission to access contacts, photographs, a camera, etc) and the app's functionality (for example, a flashlight app that requests access to the user's contacts).
- Inadequate protective controls to limit use by and the disclosure of personal information relating to children.
Given that the development of apps is exploding and people (including children) are using more apps for a wide variety of purposes, including sensitive ones such as health monitoring, it is important that appropriate attention be paid to data collection and privacy in the app development process.
We would therefore like to give the following recommendations to app developers.
1. Know what you're doing
It's impossible to protect user privacy if you don't know whether you are collecting personal data, the personal data being collected, if any, why the data are being collected, and how long they will be stored, etc.
Therefore, when developing an app, it's strongly recommended to conduct and document a privacy impact assessment ("PIA"). The PIA will provide a clear overview of what is being done and identify issues and areas for improvement. Also, be vigilant when using off-the-shelf third-party tools such as software developer kits, which may be processing and sharing data without your knowledge.
Of course, to begin with, you should always consider whether you really need to collect personal data.
2. Know who you're doing it with
Personal data collected via apps can be easily shared with third parties on a large scale. It's important to identify the parties with whom data are shared as you have a legal obligation to inform the data subjects (users) of the identity of the recipients of their personal data. Furthermore, if you are sharing data with a third party acting as a data processor, you will need to put appropriate data processing agreements in place.
3. Duly inform users
Transparency towards users is of the utmost importance. Information should be provided in a clear and transparent manner and adapted to the user's profile (eg children or adults). Furthermore, information should be made available to users prior to installation of the app and should also be accessible from within the app.
4. Put in place adequate controls
Appropriate mechanisms should be put in place to obtain user consent. Consent should be requested before the app starts collecting or placing information on the user's device, and subsequently for each type of data the app will access, at least for specific categories of data such as location, contacts, the unique device identifier and the identity of the data subject/phone.
Ensure that users can uninstall the app and delete data where appropriate.
If your app targets children or is in practice used a lot by children, limit data collection insofar as possible, provide easily understandable warning messages that, where necessary, ask children to consult their parents before proceeding, and integrate protective mechanisms aimed at preventing inadvertent disclosure of personal data.
5. Secure your app
Appropriate security measures must be put in place to adequately protect user privacy. The European Union Agency for Network and Information Security (ENISA) has published guidelines for the development of secure apps.
More information and additional recommendations for app developers and other stakeholders can be found in the Article 29 Working Party's Opinion 02/2013.