Out-Law News 2 min. read
06 Mar 2012, 2:39 pm
A researcher with MWR InfoSecurity said that "a lot" of the top 50 most popular apps Android users could download for free allow both apps and advertisers to access personal information stored on their device, according to the report.
Apps can access the information because of permissions given by users when they choose to download an app, but advertisers are often given the same access rights as a result of "advertising inside the applications," the researcher said. Channel 4 said its research had found that one advertising network, MobClix, appeared to have access to users' address books, location data and calendars.
The precise access to data that advertisers have depends on the specific permissions users agree to when they download apps, but at no point are they told that third-parties will also be able to access the information, according to the report. Channel 4 said the issue may affect "tens or hundreds of thousands of apps".
The EU Justice Commissioner said that valid consent is required in order for personal data to be processed lawfully, the report said.
"This really concerns me, and this is against the law because nobody has the right to get your personal data without you agreeing to this," Viviane Reding said, according to Channel 4.
"Maybe you want somebody to get this data and agree and it's fine. You're an adult and you can do whatever you want. But normally you have no idea what others are doing with your data. They are spotting you, they are following you, they are getting information about your friends, about your whereabouts about your preferences. That is certainly not what you thought you bought into when you downloaded a free-of-charge app. That's exactly what we have to change," she said.
Reding has proposed stricter rules obtaining user consent to the processing of their personal data under draft new data protection laws in the EU.
Organisations would generally have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process their personal data under new EU data protection laws being proposed.
Consent would not be able to be gleaned through silence or inactivity on the part of individuals and instead would have to be obtained through a statement or "clear affirmative action" before it could be said to have been given, the proposals said.
The proposals, contained in the draft General Data Protection Regulation, outline that consent to personal data processing would not be legally valid if there is "a significant imbalance between the position of data subject and the controller". Individuals should also have the right to withdraw their consent at any time, the draft said.
Organisations could justify processing personal data without consent in select circumstances, including if the "legitimate interests" of the organisation outweighs the fundamental rights of the individuals concerned. However, in the case of direct marketing for commercial purposes, consent would be required before personal data could be processed, the proposals said.
Companies would be expected to lay out information about the collection and processing of personal data in easy-to-understand language. The draft also states new rules for gaining consent to personal data relating to children.