Data Protection Commissioner
Data Protection Commissioner

Global Privacy Sweep

Raises concerns about mobile apps

As mobile apps explode in popularity, many of them are seeking access to large amounts of personal information without adequately explaining how that information is being used, participants in the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep found. This year, 26 privacy enforcement authorities, including Ireland, participated in the second Global Privacy Enforcement Network Privacy Sweep. The theme of the Sweep - Mobile Privacy - was chosen because many privacy enforcement authorities had identified mobile apps as a key area of focus in light of the privacy implications for consumers.

The results of the Internet Sweep offer some insight into the types of permissions some of the world's most popular mobile apps are seeking and the extent to which organisations are informing consumers about their privacy practices.

In total, 1,211 apps were examined. They included a mix of Apple and Android apps, free and paid apps as well as public sector and private sector apps that ranged from games and health/fitness apps, to news and banking apps.

Participants looked at the types of permissions apps were seeking, whether those permissions exceeded what would be expected based on the apps' functionality, and most importantly, how the apps explained to consumers why they wanted the personal information and what they planned to do with it.

The Sweep, which took place May 12 to 18, 2014, involved 26 privacy enforcement authorities from around the world, up from 19 international participants during last year's inaugural event. The growth of this year's Sweep shows privacy enforcement authorities are more committed than ever to working together to promote privacy protection.

The GPEN initiative is aimed at encouraging organizations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. Concerns identified during the Sweep will result in follow-up work such as outreach to organisations, deeper analysis of app privacy provisions and/or enforcement action.

2014 Sweep highlights:

  • Three-quarters of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts. The proportion of apps requesting permissions and the potential sensitivity associated with the information highlights the need for apps to be more transparent.
  • Some 59 per cent of apps left sweepers scrambling to find pre-installation privacy communications. Many offered little information about why the data was being collected or how it was being used prior to download, or provided links to webpages with privacy policies that were not tailored to the app itself. In other cases, the links led to social media pages that didn't work or required the user to log in. Sometimes it was difficult to determine who the developer or data controller was.
  • For nearly one-third of the apps (31%), sweepers expressed concern about the nature of the permissions being sought. Sweepers felt the apps requested access to information that exceeded their functionality, at least based on the sweepers' own understanding of the app and the associated privacy policy.
  • Some 43 per cent of apps did not tailor privacy communications to the small screen. Sweepers complained of small print and lengthy privacy policies that required scrolling or clicking through multiple pages. Best practices included using pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of information when they were about to happen.
  • Just a fraction of apps examined, 15 per cent, provided a clear explanation of how it would collect, use and disclose personal information. The most privacy-friendly apps offered brief, easy-to-understand explanations of what the app would and would not collect and use pursuant to each permission.

In Ireland's case, the Sweep involved the examination of 20 apps drawn from across various sectors, including Transport, Retail, Media, Banking, Entertainment and Government. The Irish Sweep took place on 14 May 2014.

The most striking finding based on the results of the Sweep was that 55% of apps examined by the Irish Sweep Team were allocated a score of 2, i.e., the privacy information provided only partially explains the app's collection, use and disclosure of personal information, with questions remaining with regard to some of the permissions requested.

In terms of best practice, the Sweep Team examined 2 apps (10%) in relation to personal finance - Ulster Bank and Tralee Credit Union - and found that both scored highly on how the app explains how it collects, uses and discloses the associated personal data. At the other end of the scale, the Team found that 15% of apps examined failed to provide adequate information to the customer, while a further 5% provided no privacy information whatsoever.

About the Global Privacy Enforcement Network (GPEN)

The Global Privacy Enforcement Network was established in 2008 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of 47 privacy enforcement authorities in 37 jurisdictions around the world.