Posted by Mei-Ling Huang, Partner
Are the apps that you use continuing to put your privacy at risk?
We all use smartphone apps; in fact, many of us have come to rely on the apps on our phones to assist us in our daily lives – from online shopping, to internet banking, to watching live footage of what our pets are doing at home whilst we are at work.
But what do these apps do with the personal data they collect from us when we sign up, click download or enter our credit card details, and has the introduction of the GDPR made any difference?
A recent investigation into popular apps by consumer group Which? has illustrated that, despite the GDPR coming in to force on 25 May this year, many apps are still able to collect large amounts of personal information from you, whether you realise it (or consent to it) or not.
Which? tested 29 Android and iOS apps this Summer and a positive outcome was that they all used encryption to some extent, which was an improvement on their previous investigation which showed that many of the popular apps tested were failing to encrypt user data properly (or at all).
However, the investigation did show that some of the apps were using questionable strategies – such as loading multiple requests in to a single option thereby not allowing you to decide which of the requests you agree to and which you don’t – in order to collect more of your personal information than you may actually wish to share.
Among other concerns, Which? also found that some apps, including Amazon’s app, were tracking the movements or general location of users without explicitly or clearly notifying them or asking for permission during setup.
What does this mean post GDPR?
A key transparency requirement under the GDPR is that individuals have the right to be informed about the collection and use of their personal data. This means being provided with clear privacy information, at the time the data is collected, about a number of things including the purposes for processing the personal data, retention periods and details of who the data will be shared with. That information must be concise, transparent, intelligible, easily accessible and given in clear and plain language.
One of the criticisms raised during the Which? investigation was that many of the apps tested “risk confusing users with over-complicated and long-winded privacy policies and T&Cs”. Which? noted that the terms and privacy policies of the 29 apps tested totalled 333,336 words and that, based on average reading speed, would take 22 hours 21 minutes to read all the policies in one go. They pointed out that would take longer than a Harry Potter film marathon (although users might be left feeling just as confused!).
Overall, the Which? investigation found that in some cases, the apps did not “quite match the spirit of the GDPR” and that others used practices that were probably lawful but raised questions over the future of privacy.
It seems obvious to us that if the information provided to app users at the time they agree to download does not conform to the requirements set out above, there is a significant risk that these app developers are at risk of breaching the GDPR and could be subject to large fines.
Oxfordshire based cyber and technology specialist, Richard Marsh, says that “with the noise slowly dying down on GDPR and the public returning to normal life, many have made the assumption that GDPR is magically working away to protect us and our personal information. However, the reality is far from that. In fact, some of the largest organisations have taken the opportunity to establish what they will and will not do with your data, but have wrapped the information that should legally be clear, unambiguous and given freely to users, in agreements, policies, systems and yet more tick boxes which actually cloud the information and trick users into agreeing to things they would never agree to if explained in plain English”.
So how can you protect your personal data?
Richard Marsh highlights the importance of data security in today’s world of ever increasing reliance on technology. However, he believes that we are only 10% of the way to truly protecting our data and identities and whilst the larger companies are either continuing to act as they were pre-GDPR, or working on ways around the GDPR in order to share personal data between them for their own gain, consumers are still trying to understand the basic rights they have in relation to their own personal data.
There is clearly a lot more work to be done and it is not yet clear what impact the GDPR has actually had on the way companies collect and use personal data. Whilst those questions remain unanswered, there is only so much we as individuals can do to protect our personal data. Our and Richard’s advice is to do what you can in order to keep the personal data in your control safe – use encryption, protection and strong passwords, and take time to carefully review and properly understand terms and conditions before accepting them.
If you have any concerns about how your personal data might be collected or used, contact us without delay to discuss whether or not your concerns might give rise to a need to report a potential breach to the Information Commissioner’s Office.
Alternatively, if you are a company developing apps or other software and have concerns about your technical or procedural responsibilities under the GDPR, our privacy team can advise you on your obligations, assist you in putting clear yet comprehensive policies and procedures in place whilst working with our third party specialists in relation to your technical safeguards.
If you have any enquiries, please contact Lucy Nash on:
01865 268 685 Email us
Minimise the impact with our dispute resolution solicitors