With the market for mobile applications (apps) booming, concern has increased around the amount and type of data that many apps collect and use. Recently, the Irish Data Protection Commissioner (DPC) along with data protection authorities from around the world (the DPAs) wrote an open letter to app marketplaces. The letter, dated 9 December 2014, called on app marketplace operators - like Google and Apple - to make links to app privacy policies mandatory. This letter followed the results of a global review of app privacy compliance which discovered that a significant majority of apps did not provide enough information about how consumers' data would be used.
Earlier in 2014, the Global Privacy Enforcement Network (GPEN), an alliance of DPAs, conducted its second annual 'privacy sweep' (the Privacy Sweep). GPEN seeks to encourage organisations to comply with privacy legislation and to increase cooperation between privacy enforcement authorities.
The Privacy Sweep focused on mobile privacy, as apps had been specifically identified as having potentially significant privacy implications for consumers. The Privacy Sweep examined over 1,200 apps from around the world and particularly focused on the types of permissions the apps were seeking (such as location, camera and microphone, for example). GPEN wanted to discover whether or not the requested permissions exceeded what might normally be expected, based on the functionality of the particular app. The way apps explained the need for certain permissions, as well as the intended uses of data, was also reviewed.
International issues with privacy notifications
On an international level, the Privacy Sweep found that numerous apps were requesting permissions for potentially sensitive information under certain laws. In particular, certain apps were requesting access to location data without explaining the need for such data. In addition, many of the apps that did provide privacy information were found not to have tailored the information to smaller screens. This resulted in issues with legibility due to font size used in privacy policies.
How did Irish apps fare?
The Irish aspect of the Privacy Sweep took place in May 2014 with twenty apps from across various sectors being examined. These included apps for transport, banking, media and entertainment. The Irish Privacy Sweep found that more than half of the apps examined had insufficient privacy information, and only partially...