Global Privacy Enforcement Network (GPEN) Publishes Privacy Sweep Results
On 10 September 2014, the Global Privacy Enforcement Network (GPEN) published the results of its privacy enforcement survey or “sweep” carried out earlier in 2014 with respect to popular mobile apps. The results of the sweep are likely to lead to future initiatives by data protection authorities to protect personal information submitted to mobile apps.
The purpose of the sweep was to determine the transparency of the privacy practices of some 1,211 mobile apps and involved the participation of 26 data protection authorities across the globe. The results of the sweep suggest that a high proportion of the apps downloaded did not sufficiently explain how consumers’ personal information would be collected and used.
GPEN was established in 2010 on the recommendation of the Organisation for Economic Co-operation and Development. GPEN aims to create cooperation between data protection regulators and authorities throughout the world in order to strengthen personal privacy globally. GPEN is currently made up of 51 data protection authorities across some 39 jurisdictions.
Over the course of a week in May 2014, GPEN’s “sweepers” – made up of 26 data protection authorities across 19 jurisdictions, including the UK Information Commissioner’s Office (ICO) – participated in the survey by downloading and briefly interacting with the most popular apps released by developers in their respective jurisdictions, in an attempt to recreate a typical consumer’s experience. In particular GPEN intended the sweep to increase public and commercial awareness of data protection rights and responsibilities as well as identify specific high-level issues which may become the focus of future enforcement actions and initiatives.
The key negative findings of GPEN sweep include:
85 percent of apps failed to clearly explain how personal information would be processed.
59 percent of apps did not clearly indicate basic privacy information (with 11 percent failing to include any privacy information whatsoever).
31 percent of apps were excessive in their permission requests to access personal information.
43 percent of the apps had not sufficiently tailored their privacy communications for the mobile app platform – often instead relying on full version privacy policies found on websites.
However, the sweep results also highlighted a number of examples of best practices for app developers, including:
Many apps provided clear, easy-to-read and concise explanations about exactly what information would be collected, how and when it would be used and, in some instances, explained specifically and clearly what would not be done with the information collected.
Some apps provided links to the privacy policies of their advertising partners and opt-out elections in respect of analytic devices.
There were good examples of privacy policies specifically tailored to the app platform, successfully making use of just-in-time notifications (warning users when personal information was about to be collected or used), pop-ups and layered information, allowing for consumers to obtain more detailed information if required.
Many of the GPEN members are expected to take further action following the sweep results. For its part, the UK ICO has commented that in light of the above results, it and other GPEN members intend to write to developers identified as deficient. The Belgian Privacy Commission has, in addition, confirmed that cases of gross violations of data protection law identified in the sweep would be forwarded to and dealt with by the relevant authorities.
This article was written with contributions from Rob Lister.