A coalition of Authorities for the protection of personal data of the Global Privacy Enforcement Network (GPEN) has urged distribution platforms to oblige app developers to inform users about any personal data that will be collected and how such data will be used before they download apps.
On 9 December 2014 the Italian Data Protection Authority along with 22 other global authorities sent an open letter to the operators of 7 specific app marketplaces, Apple, Google, Samsung, Microsoft, Nokia, Blackberry and Amazon.com urging them to make available to users a policy statement on the use of personal information before downloading apps.
“Apps make life easier”, according to Antonello Soro the Italian Data Protection Authority President “but all too often we inadvertently allow them access to an increasingly wide range of particularly sensitive personal data, not only phone contacts or photos, but also geographic location, or, as in the case of medical apps, health data. The risk is one of permanent digital monitoring which we are gradually getting accustomed to”.
The decision to publish the open letter follows the investigation conducted by GPEN last May, the results of which showed that many of the most downloaded apps request access to a wide range of data but do not provide adequate explanations for the reasons behind these requests.
In particular, out of a total of over 1200 applications analyzed globally, three-quarters of them request one or more permissions, generally regarding location data, the ID of each device, access to other accounts, the functions of video footage and phone contacts.
In 59% of cases it was difficult for the authorities to find any privacy practice information before installation. In many cases there is either very little information available before downloading on the aims of the data collection or about its subsequent use, or a link is provided to a web page where there is a privacy statement that does not correspond to the specifications of the app.
Only 15% of the apps under examination were found to have transparently clear privacy policies. In the best cases the apps offer concise and clear explanations of what the app will do or will not do with the data collected based on the individual permissions requested.
The text of the open letter has been published in English on the website of The Italian Data Protection Authority.