Data Protection authorities warn of “alarming disregard” for users’ privacy by a number of app developers
Apps are a significant threat to users’ privacy and reputations, with many app developers breaching EU data protection laws, according to a report released by Europe’s Data Protection Authorities.
The data protection authorities warn that users’ privacy on smartphones and tablets is only “as strong as its weakest link” and there is an “alarming disregard” for proper data management from some app developers.
The Article 29 Working Party says that without clearly informing users about how their personal information is being collected developers are breaking E.U law.
“A single data item can, in real time, be transmitted from the device to be processed across the globe or be copied between chains of third-parties. Some of the best known apps are developed by major technology companies but many others are designed by small start-ups.
A single programmer with an idea and little or no prior programming skills can reach a global audience in a short space of time. App developers unaware of the data protection requirements may create significant risks to the private life and reputation of users of smart devices.”
The organisation published a laundry list of the types of data that apps could access without users’ knowledge;
- Unique device and customer identifiers (such as IMEI, IMSI, UDID and mobile phone number)
- Identity of the data subject
- Identity of the phone (i.e. name of the phone)
- Credit card and payment data
- Phone call logs,
- SMS or instant messages
- Browsing history
- Information society service authentication credentials (especially services with social features)
- Pictures and videos
- Biometrics (eg facial recognition and fingerprint templates)
The group also warns users that desktop browsers are increasingly accessing and recording personal information about users’ online activities.
The groups says that it’s not just small app developers or start-ups that are failing to provide meaningful privacy information to users but also larger companies. It also says that privacy notifications presented to users before they install apps are often “meaningless”.
This lack of transparent handling of users’ data is made worse by developers’ “disregard (due to ignorance or intention) for the principle of purpose limitation which requires that personal data may only be collected and processed for specific and legitimate purposes.”
The group says that some developers are obscuring why they collect users’ data by describing it as “market research” with “many apps abundantly collecting data from smartphones, without any meaningful relationship to the apparent functionality of the app.”
The European Union already has strict data protection and user privacy laws which apply to any form of electronic data collected about its citizens. According to the report this law overrides any contract or End User Licence Agreement (EULA) accepted by the user when they download apps, meaning that that user agreements that force users to sign away certain privacy rights are not enforceable.
While the group says that app developers need to improve how they protect people’s privacy on smart devices they also warn the likes of Google and Apple must do more to prevent users’ personal information from being leaked to developers and the wider web.
The Working Group challenged app developers to find innovative ways to inform users about how their data is being used;
“App developers excel in programming and designing complex interfaces for small screens, and the Working Party calls on the industry to use this creative talent to deliver more innovative solutions to effectively inform users [about how their data is being used] on mobile devices”
More recommendations and warnings have been issued to app developers in the Working Party’s report.