Hong Kong Privacy Commissioner takes lead on Privacy Regulation of Mobile Apps
On 9 December, 21 privacy enforcement authorities around the world issued an open letter to seven of the world's leading app marketplaces calling on them to make app privacy policies available to users prior to downloading.
The open letter was initiated jointly by the Office of the Privacy Commissioner for Personal Data, Hong Kong (the "PCPD") and the Office of the Privacy Commissioner of Canada. Other signatories to the letter included the UK Information Commissioner, the Privacy Commissioners of Australia and New Zealand and the Vice President of the Korea Internet and Security Agency.
The open letter follows a May 2014 study of over 1,200 mobile apps from around the world which was conducted by the Global Privacy Enforcement Network ("GPEN"), an association of 26 privacy regulators, including the PCPD. The study concluded that a significant number of mobile apps do not make adequate disclosure to users. Specific findings include:
- 85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information;
- More than half (59%) of the apps left users struggling to find basic privacy information;
- 31% requested an excessive number of permissions to access additional personal information; and
- 43% of the apps failed to tailor privacy communications to the small mobile device screen, either by providing information in a too small print, or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages.
In addition to the open letter sent last week, the PCPD has also recently published its own guidance to mobile app developers in Hong Kong. The Best Practice Guide for Mobile App Development can be downloaded in full here: http://f.datasrvr.com/fr1/814/28028/Mobileapp_guide_e.pdf
While the PCPD's guidance is directed at small and medium sized app developers, the principles set out in the document are important for businesses of all sizes seeking to promote or transact their businesses through mobile apps in Hong Kong or that are engaged in the development of mobile app technologies. In particular, the PCPD's continued advocacy of "Privacy by Design" - the concept that technology should be developed from the outset with privacy concerns in mind - will be an important business consideration.
Overview of the Hong Kong guidance:
Parts A and B of the guidance provide background information on the application of Hong Kong's Personal Data (Privacy) Ordinance ("PDPO") to app development and the six data protection principles that underpin the PDPO.
Part C explains the "Privacy by Design" concept and encourages developers to consider privacy issues throughout the entire development life cycle of the app.
Part D is aimed at apps which access the personal data of their user and provides developers with a checklist for applying the Privacy by Design approach as the app is being developed. Through a series of questions the developer is encouraged to complete a checklist that examines each type of data being collected by the app and to consider, systematically, how the app can be built with the least intrusion to a user's personal data privacy.
Part E provides some best practice recommendations where user data is accessed or collected by an app and is linked to the information compiled by the developer in the checklist in Part D. In particular, app developers are encouraged to only access the types of data necessary for the app and ensure that their privacy statements are tailored for their particular apps. Privacy policies should state clearly whether the apps would access data on the user's smartphone, the types of data that would be accessed and why and how such access would be carried out. This information would then allow users to make an informed decision whether or not to download and use the app.
For apps that do not access or collect personal data, Part F of the guidance reminds developers that transparency is one of the cornerstones of the PDPO. Even if no personal data is being collected from users, developers are advised to make this clear to the user through a privacy statement before the app is installed.
Compliance is critical:
The results of the 2013 GPEN global survey were equally disappointing, particularly for Hong Kong, where 60 of the most popular local smartphone apps were reviewed, with many found to be defective. Following last year's survey, improving privacy and data protection in the use of apps became a key area of focus for the PCPD, which stepped up its educational efforts by conducting seminars targeted at app developers and launching a dedicated website on online privacy at www.pcpd.org.hk/besmartonline.
Failure to comply with data privacy requirements in Hong Kong can have consequences that go far beyond simply monetary fines and other regulatory sanctions: very often reputational issues are also in play. In the latest published figures for 2013, the PCPD reported a 48% per cent increase in complaints and a doubling of enforcement notices. Moreover, the incident and investigations that followed showed a greater willingness by the Commissioner to "name and shame" businesses that he believes have fallen foul of the law, making the consequences of non-compliance far greater than in the past.
Details of the local results for the 2014 GPEN survey are awaited but the lack of publication of those results by the PCPD as the end of the year approaches suggests that little improvement has been made by developers in Hong Kong in the last 12 months. The Privacy Commissioner has already indicated that if standards do not improve enforcement action against offenders will not be ruled out. The timing of the open letter and this latest guidance note suggests that it may be the first in a series of follow up actions to be taken by the PCPD to try and ensure compliance by mobile app developers.