Own goal: risks of processing personal data through smartphone apps
As smartphone capabilities and the ubiquity of their usage increases, an increasing number of functions that were previously performed by standalone devices have now moved into the app ecosystem – but doing so raises the risks of personal data misuse, and consequently regulatory scrutiny under data privacy laws. Recent advice and comments provided by EU data protection regulators regarding Qatar FIFA World Cup apps highlight this risk
Smartphones contain and collect a vast repository of data
Of all the items carried on a person, one can infer the most information about someone contained in their smartphone. A wallet may contain receipts (for the financially organized) and photographs (for the sentimental), and potentially high-risk and/or sensitive data (through receipts, membership cards or medical certificates, if they are carried in these wallets). However, this pales in comparison to the vast amount of personal data that can be gleaned through access to a person’s smartphone. The information that can be contained within smartphones, in particular conversation history, photo and video albums, locations visited and timing of such visits, app data and personal notes and reminders all provide an intimate picture into a person’s life, habits, locations and preferences. It is noteworthy that, for this reason, U.S. police officers cannot generally search a person’s phone without a warrant, although other items such as wallets and purses may be searched on the basis of probable cause. In the UK, the searching of a mobile phone’s contents (also known as Mobile Phone Extraction, or MPE) also requires a warrant although there are several other statutory bases that permit MPE without a warrant or court order.
Apps may access to this repository and can result in the unlawful collection of data
With such a wealth of information contained in smartphones, the potential for apps to infringe on an individual’s privacy rights is significant. This was noted by several EU data protection regulators, such as the Norwegian and French, with regards to two apps required for foreigners attending the upcoming FIFA World Cup in Qatar. These apps, comprising of the official FIFA World Cup app (Hayya) and a contact tracing app (Ehteraz) have been criticized for monitoring users’ locations, and for providing Qatari authorities with a wide remit to access, delete or change content on users’ smartphones. In some cases, apps have even been likened to a “cyber weapon”, particularly when they have been found to introduce cybersecurity vulnerabilities and monitor or track users without their knowledge.
If the FIFA World Cup were to be hosted in an EU member state, or the UK, these apps will almost certainly attract regulatory enforcement as they will not be compliant with EU data protection laws. This is not a new focus for European data protection regulators – similar concerns were raised in relation to national track and trace apps created in response to the COVID-19 pandemic. Despite the clear public interest and urgency of the pandemic, European data protection regulators were mindful to stress the need for data to be processed in accordance with data protection law, due to the significant risk of interference with private life that could result from the unchecked processing of location and health data, and for data protection principles to still be respected.
Notwithstanding the desired functionality and ease of use, fundamentally, app developers should consider key questions about their intended processing, including: (i) whether such functionalities are best captured through an app; (ii) whether personal data should be processed; and if so, (iii) how might the amount of personal data be limited to what is strictly necessary for such processing and how might the processing be limited to what is strictly necessary to fulfill its stated purposes. To address these issues, developers should consider the timely use of impact assessments. Developers of mobile apps need to make sure that products are robust from both a cybersecurity and data privacy standpoint – the European Commission’s “toolbox” for COVID-19 app developers and European Data Protection Board’s (the body with oversight of personal data regulation in the EU) guidelines for contact tracing apps may provide a useful starting point for app developers, as it provides practical guidance and recommendations on privacy-friendly features (albeit in the context of a global pandemic). If an app does not meet most of the recommendations contained therein, then it is unlikely that it will be compliant with EU data protection laws. On present facts, it is challenging to see how the Qatari apps, should they be implemented in the EU or UK, be deemed compliant or avoid regulatory scrutiny and possible enforcement sanctions – and as important as the World Cup may be to some, trying to justify such broad personal data processing relating to sports matches on the grounds of public interests equal to those seen as global pandemic may be seen as foul play rather than fair play and may have regulators reaching for their red cards.
“Our smart phones are powerful repositories of highly sensitive personal information, including our intimate conversations, family photographs, location history, browsing history, biometric, medical, and financial data. They reveal patterns of our daily personal and professional lives and enable penetrative insights into our actions, behaviour, beliefs, and state of mind. It is no exaggeration to say that the personal data found in our mobile phones richly depict our lives.” Information Commissioner’s Office