Nowadays, data breaches have become natural occurrences, with new cases reported practically daily. Privacy breaches using intrusive mobile apps have also become one of the primary global concerns. Smartphones today are used for various purposes, including work, shopping, entertainment, and health tracking.
The global mobile apps market generated a staggering $318 billion in revenue in 2020 according to Statista. Unfortunately, trust is easy to lose and difficult to gain in today’s digital age. Numerous mobile-app related breaches have been reported including LINE, Babylon Health, and Indonesia’s Contact Tracing App.
This gives mobile application developers a new challenge: how they can create an application people can trust that combines appeal and functionality. This new challenge can also pose unique challenges for Data Protection Officers (DPOs). Fortunately, there are also data privacy courses offered to address these new challenges.
Apart from data privacy courses, there are also data protection courses DPOs can take to help them develop the skills and expertise they need to do their jobs more efficiently.
Mobile Apps Associated Risks
Using a mobile application comes with certain risks. Throughout the daily operations of a mobile application, data will pass through the organisation in four stages: collection, usage/processing, transfer/disclosure, and retention/storage. Below are some of the risks developers need to be aware of when developing their mobile applications.
Collection
- Lack of valid consent
- Too many requests for permissions
- Collecting sensitive personal information of minors without verifying parental consent
Usage/Processing
- Too much data processing compared to consent given
- Invasion of analytics/privacy
- Tracking of surveillance/usage
Disclosure/Transfer
- Accidental disclosure/leakage
- Violation of cross-border rules
- Unauthorised disclosure to third parties
Storage/Disposal
- Data leak caused by inadequate security protocols
- Identity theft
- Improper disposal of data
Data Breaches Involving Mobile Apps
There is recent media coverage on data breaches involving mobile apps.
WhatsApp Fine
WhatsApp paid a 225 million Euro fine by the Irish data protection regulator after being pressured by the EU privacy watchdog. WhatsApp was also fined for their failure to be transparent about how they process personal information (both user and non-user data). They were not also transparent about how data was shared between other companies under Meta or Facebook.
Earlier, WhatsApp updated their terms of use as well as their privacy policy to notify users that they are required to read and agree to their new terms by 8 February 2021, the initial stipulated date. Failure to do so and WhatsApp will delete the user’s account. Understandably, the move received massive public backlash. This caused the changes to be delayed until May of 2021.
Alleged COVID-19 Contact Tracing App Breach (Indonesia)
Several media outlets reported about a possible data breach of the Indonesia Health Alert Card (eHAC), an app that was designed to track the spread of the COVID-19 pandemic. The system has approximately 1.3 million users’ data. An encryption provider known as vpnMentor reported that the data included COVID-19 test results, ID card and contact information.
What Organisations Can Do
Organisations need to carefully assess privacy risks that are involved at every stage so they can implement the required and relevant controls that can help mitigate these data breach issues. It is also recommended that they have a Data Protection Officer or Data Protection Committee involved in the process together with other relevant teams. Also, Data Protection Impact Assessments should also be carried out for current processes or when the organisation develops a new product.
