The EU’s General Data Protection Regulation (GDPR) has now been in force for a couple of years. Generally speaking, those tasked with enforcing it have been encouraged by the results. The regulation is apparently accomplishing most of its goals, albeit slowly. That said, there is an interesting paradox developing in the mobile app space.
A recently released study looking at hundreds of popular mobile apps in Germany reveals that app developers do not appear to be as responsive to their GDPR obligations as they should be. What is the paradox? Even as mobile users increasingly prefer their phones over desktop and laptop computers, app developers appear to be less concerned about data privacy.
It could be that we are enabling bad behaviour among app developers through our own lack of cognisance. For example, when someone mentions the GDPR and online commerce, does your mind immediately think laptop computers and web browsers? For some reason, a lot of us tend to disassociate mobile apps from private information as though they somehow work differently than web browsers.
1. Failing to Respond
The German researchers wanted to know how effectively mobile app developers and vendors responded to subject access requests. Under the GDPR, users have the legal right to ask organisations that collect their personal data to demonstrate how that data is used and secured. They also have the right to know exactly what personal information is being stored and used by organisations.
Organisations are required to respond when users request access to the appropriate information. It turns out that many of them do not. Between 2015 and 2019, the researchers sent access requests to 225 mobile app vendors in Germany. The requests were sent in three different stages. Here’s what they found, measuring each stage separately:
- 19-26% were unreachable or did not reply
- 15-53% of the requests were declined
- 7-13% of the responses contained false or misleading information
- 27% of the accounts established for the study vanished during the study period.
It is clear from the numbers that mobile app developers are not quite fully on board with GDPR. Whether that’s due to ignorance, deliberate choices, or a lack of resources remains unclear. What is clear is the fact that the mobile app community still has a long way to go.
2. Not Asking for Much
There is something about the German study that makes its results even more disturbing. That something is in the way the study was conducted. Researchers set about creating accounts for each of the mobile apps, just as a normal user would. Then they used each app for about 10 minutes. They followed up by making an access request from each vendor.
Using a mobile app for 10 minutes does not generate a lot of data. In fact, it generates very little data for some types of apps. Thus, it should not have been all that difficult for vendors to comply with access requests. The data is there. Its volume is small. There isn’t a complex web that has to be untangled to respond properly to an access request.
In short, the researchers were not asking for much. They were asking for the bare minimum just to see if app developers would comply with the GDPR. The fact that so many did not is troubling. Adding insult to injury was a second line of inquiry the researchers used to determine that many of the app developers had the resources to comply but were failing to do so.
3. The Solution Is Easy
Nothing good can come out of app developers refusing to comply with the GDPR. Fortunately, there is an easy solution. App developers can bring in GDPR consulting specialists to audit their apps and GDPR procedures. Those consultants can then recommend the necessary changes to ensure compliance.
In terms of developing new apps, GDPR specialists should be part of the equation from the ground up. By building an app with the GDPR in mind, developers can address all the mechanical issues that ensure compliance. After that, it is just a matter of those people in certain positions doing their jobs.
Should app developers go to the trouble and expense of bringing in consultants to audit existing apps? Common sense says they should. GDPR enforcement to date has not been as aggressive as the law allows. But leniency is not going to last forever. At some point, regulators are going to start coming down hard on violators. App developers will not be spared.
For right or wrong, the GDPR is the law of the land in Europe. It also applies to any overseas companies that have operations or serve customers in the EU. It matters not whether an organisation relies on a traditional website or a mobile app to do what it does. Any organisation that collects, utilises, and stores user data must comply with the GDPR.