25 April 2016

Apps and privacy legislation

One privacy benefit of app stores is that they generally inform the app user of the rights or permissions required by the app.  Sometimes the need for specific permissions are obvious from the purpose of the app.  Sometimes app authors explain why they need specific permissions (and one can then decide whether to trust such an explanation or not).  Often enough I decide that the permissions required by an app outweighs its utility (for me) and I keep on using the old version or, more often, uninstall the app.

One of the harder choices that some time ago confronted me was an upgraded app from my bank that requested the permissions in the screenshot below.

Of course the right to use certain features of a mobile device does not mean that the app uses those features to collect any personal information.  However, the permission provides the app with the ability to collect such information.  In the privacy literature the notion of a data controller is well known.  In the South African Protection of Personal Information (POPI) Act (2013) a record is "any recorded information" "(b) in the possession or under the control of a responsible party" [emphasis added] (c) "whether or not it was created by a responsible party", with the responsible party being the party that "determines the purpose of and means for processing personal information".  Processing is "any operation or activity or any set of operations ... concerning personal information, including" (b) using it.  Hence it seems reasonable for me to expect that privacy legislation provides me with some protection when some party obtains control over private information on my device.  At the time of writing this post, the major South African privacy legislation is not yet in effect, but what the legislator has in mind in clear.

There are two obvious limitations to the protection one can expect from privacy legislation.  Firstly, privacy legislation often first and foremost attempts to protect the privacy of those who live, work and/or transact in the jurisdiction where the law applies, so not all apps would be guided by the same norms.  Secondly, one should certainly not be obliged to accept the permissions requested by the app - uninstallation should remain a viable option.