Why the ‘privacy by design’ approach to mobile apps isn’t enough
Our phones hold an insane amount of our personal and sensitive data
Change of mindset
Applying a privacy by design approach requires a change of mindset by developers. They must be proactive, rather than responding after the fact to a data breach that could have been prevented. The days of collecting as much personal data as possible in the hope that it might prove valuable later are gone. Developers must align data collection to a specific purpose for which the data is needed and communicate that to app users. They should also anonymize or delete the data as soon as possible.
Privacy should become a key component of design methodology, selection of technical tools, and organizational value statements.
These are important changes, endorsed in guidelines for mobile app developers published by theGlobal System for Mobile Communicationsand by regulators in theUS, theUK,Australia, andCanada, among others. In the EU “data protection by design and by default” is nowa legal obligationof the General Data Protection Regulation.
But, as my research shows, this might not be enough without the redesign of the app ecosystem to address data sharing, a view supported by other research. According toone study, most apps transmit data directly to third parties, like Google, Facebook, and ad exchanges, via trackers embedded in the app code. But I found that privacy laws do not comprehensively or consistently address this third party sharing.
The term “third party” is not defined in the Protection of Personal Information Act, but would include ad networks, content-sharing sites and social networking platforms. Third parties are thus distinguished from downstream processors who may perform specified data processing on your behalf under a contract.
It is difficult to enforce legal liability against these third parties, who are often outside the country where the app was developed. Their terms and conditions typically place full responsibility for privacy compliance by the app on the app developer. This may leave app users unprotected. But it could also expose the app developer to unforeseen legal liability.
Liability for the app developer arises because under both the Protection of Personal Information Act and General Data Protection Regulation if you played a role in determining “the purpose or means” of data processing you are a “joint” responsible party (data controller) for the data processed by the third party.
The European Court of Justice has twice held small businesses liable as “joint controllers” for Facebook’s collection of data, via afan pageand alikebutton. Although the judgments stress that joint control is not necessarily “equal liability”, this should still be a concern for app developers.
For example, app developers using the Facebook Software Development Kit are sharing personal data with Facebook. Event logs such as “app installed”, “SDK initialized” and “app deactivated” give detailed demographic and behavioral insights about an app user. In 2018 Privacy Internationalreportedthat the setting to delay transmission of logged events until after the user has consented was only added by Facebook 35 days after General Data Protection Regulation came into force, and then only if enabled by the developer for SDK version 4.34 or higher. This change appears to have followed repeated bug reports filed on the developer’s platform.
Take aways
The takeaway here for developers following a privacy by design approach is to “trust but verify”:
Prosecuting app developers who breach data laws is important but not enough. Ultimately the parties who design the technologies and platforms on which mobile apps are built and marketed must be brought within the legal accountability framework to close the privacy loop.
Article byDusty-Lee Donnelly, Lecturer in Law & Advocate, High Court of South Africa,University of KwaZulu-Natal
This article is republished fromThe Conversationunder a Creative Commons license. Read theoriginal article.
Story byThe Conversation
An independent news and commentary website produced by academics and journalists.An independent news and commentary website produced by academics and journalists.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
