Who: The Information Commissioner’s Office (“ICO“
Where: UK
When: 11 March 2016
Law stated as at: 7 April 2016
What happened:
The ICO has published a new Blog post questioning what our mobile apps are actually doing. The Blog post follows an ICO survey of 21 popular apps. The ICO analysed the apps to see whether they were compliant with data protection law generally, including checking whether necessary data subject consents were obtained for data processing and if personal data was adequately protected from cyber threats. The ICO found that overall apps weren’t “panic-inducing”, although there was room for improvement in a number of areas to ensure full data protection compliance and to improve the customer experience. These include:
- using encrypted connections for login methods (i.e. HTTPS rather than plain HTTP);
- ensuring that encrypted connections are set up and used properly, for example checking digital certificates adequately (to prevent someone unlawfully impersonating the server and carrying out a “man-in-the-middle” attack);
- requiring more resilient passwords;
- obtaining consent for cookies; and
- improving transparency.
The ICO’s Blog post highlights that it takes data privacy and security concerns with mobile apps seriously and that this is firmly on the ICO’s radar as app use in our daily lives proliferates.
Why this matters:
The Data Protection Act 1998 (“DPA“) requires that data controllers process personal data fairly and lawfully and that they have in place appropriate technical and organisational measures to prevent personal data being damaged, lost or stolen. In practice this means that app developers should be transparent with users about how they will use and share their personal data in a clear privacy notice and should obtain a user’s consent to that use. In addition app developers should ensure that they are taking proportionate steps (having regard to the state of technological development, cost, nature of the data and potential harm of a security breach) to ensure that users’ personal data is secure. This should apply throughout the data processing life cycle, from collection through to deletion of the personal data if it is no longer necessary for the purpose for which it was collected. Failure to comply with these requirements could lead to a fine from the ICO of up to £500,000 but under the new General Data Protection Regulation, which is expected to come into force in 2018, this will increase to EUR 20 million or up to 4% of worldwide turnover for serious breaches.
The ICO’s survey found that a number of apps it reviewed could be doing more to comply with the DPA particularly in relation to app security which the ICO considers should be part and parcel of development of an app alongside improvement to the app service itself. App developers should therefore consider whether their products are compliant with the DPA to avoid a knock on the door from the ICO following bad mobile app security practice. In particular, developers should note that the ICO is not stopping at its sample survey of 21 apps but intends to evaluate apps on an on-going basis, moving next to apps in the finance and wellbeing areas. The ICO has provided useful guidance on mobile apps specifically (see here: https://ico.org.uk/media/for-organisations/documents/1596/privacy-in-mobile-apps-dp-guidance.pdf) and also separately on encryption (see here: https://ico.org.uk/media/for-organisations/encryption-1-0.pdf) that developers should follow.
The recent news that WhatsApp has rolled out end-to-end encryption for its services goes to show that best practice compliance can bring positive publicity as well as keeping the regulator at bay. No doubt the ICO will be hoping that other app developers follow suit.
