ICO needs to rethink how to tackle mobile apps privacy failings, says expert

Out-Law News | 12 Sep 2014 | 3:42 pm | 3 min. read

The UK's data protection authority needs to rethink its strategy for combatting failings in mobile apps privacy, an expert has said.

Telecoms law specialist Jon Fell of Pinsent Masons, the law firm behind Out-Law.com, said detailed guidance produced by the Information Commissioner's Office (ICO) that explains to mobile app developers how to adhere to the UK's Data Protection Act (DPA) may not be delivering better compliance from industry.

Fell was commenting after research conducted by the ICO and other privacy watchdogs across the world highlighted failings in the way information concerning the collection, use and disclosure of app users' personal data is being displayed on consumers' mobile devices.

The Global Privacy Enforcement Network (GPEN), which is made up of a number of data protection authorities based across the world, assessed the transparency of more than 1,200 mobile apps' privacy practices in May this year. The ICO said the results show that "many app developers are still failing to provide [privacy] information in a way that is clear and understandable to the average consumer".

"App developers can currently take advantage of mobile devices' operating systems that allow them default access to personal information in many cases," Fell said. "Regulators should insist that a new system of privacy indicators be deployed within app stores to ensure prospective app users are prompted with clear, bite-sized details about personal data use by apps alongside accessible consent buttons before downloading apps."

"In line with the push towards better 'privacy by design', if operating systems were built in such a way that push notifications appeared on users' screens the first time that apps tried to access a particular function on a phone, such as location data, users' photos or their contacts, then that would help address existing failings," he said.

"Achieving the same level of transparency and legal standard for consent to processing personal data might be achievable by following the ICO's guidance on mobile apps privacy, however that guidance is unlikely to be read and understood by many app developers. Mandating a simplified labelling model, and ensuring app stores are held to account where apps they sell do not comply, would be a much more effective way of changing app developers' behaviour than researching transparency failings and pointing industry to complicated guidance to alter their practices," Fell said.

Fell said that a similar simplified labelling system had been developed by the Moms with Apps group in the US to help parents understand the measures taken to protect children's identity by app developers. He said, though that changing the way information on privacy is displayed to mobile app users would only be effective if consumers were made better aware of the consequences in enabling access to their personal data.

"Consumer studies have shown that many young people are increasingly relaxed about their online privacy whilst even sophisticated users in other age groups are not always aware of exactly what they are being asked to give their consent to," Fell said.

According to the results of the GPEN study, 85% of all the mobile apps reviewed by the regulators "failed to clearly explain how they were collecting, using and disclosing personal information".

The regulators struggled to locate "basic privacy information" relevant to the apps at the pre-download stage in 59% of cases, the results reported by the ICO and Canada's privacy watchdog, the Office of the Privacy Commissioner of Canada, revealed. The study also found that 31% of mobile apps reviewed appeared to ask for more personal data from users than was necessary, the regulators said.

In 43% of cases, apps failed to communicate privacy messages in a way appropriate for users of mobile devices, the regulators said. Information displayed was either "in a too small print" or hidden within "lengthy privacy policies that required scrolling or clicking through multiple pages", the ICO said.

Late last year the ICO published guidance for mobile app developers on compliance with the UK's Data Protection Act (DPA). That Act requires, among other things, businesses to explain to customers the purposes for which their personal data may be processed and often requires those companies to obtain those individuals' consent to proceed with that activity.

In its guidance, the ICO recommended that app developers use 'just-in-time notifications' to inform users about the imminent processing of personal data. Those notifications could be displayed on users' screens to explain how app developers intend to use personal data collected through the app and enable the developers achieve the legal standard for 'consent' under the DPA, the watchdog said at the time.

In revealing the results of the GPEN's review of mobile apps' compliance with privacy rules, the ICO said that some app developers have deployed just-in-time notifications within their apps and are engaging in other good practices too.

"The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information if the individual wants to know more," the ICO said. "The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection, or use, of personal data as it was about to happen. These approaches make it easier for people to understand how their information is being used and when."