How to avoid data protection deficiencies?
There are fundamental principles of data protection that can be used as a guideline of sorts in order to meet the privacy by design/default approach; among the of German and EU data protection law are principles such as
- the principle of data avoidance and minimization: keeping the personal data processed to the absolute minimum. One application of this principle cited by the privacy guidelines is to limit granularity of location data as needed. While a navigation app of course needs a user’s exact coordinates, a weather app should not even be designed to pinpoint any precise location, relying instead only on the concerned city.
- the purpose limitation principle protects data subjects by setting limits to the collection and further processing of their data. This means that data may only be used for the purposes for which it was collected and that were disclosed to the data subject, even if statutory permission exists to use it in other ways as well.
- the principle of immediacy ensures that personal data has to be collected directly from the person concerned. Whereever possible, an app should therefore ask the user to provide information insetad of obtaining it from thrid party sources (such as app stores/distribution platforms).
Technical aspects of data security
Data security aspects are another part of the privacy by design/default approach. In order to prevent excessive development and repair costs, critical vulnerabilities must be avoided from the outset.
The so called technical and organizational measures are set out in Section 9 (including the annex) of the German Federal Data Protection Act (BDSG). The Düsseldorfer Kreis considers the following aspects particularly relevant for mobile apps:
- Using secure logon credentials,
- Avoiding the transmission of unique identifiers (IMEI/UDID/…),
- Using secure data transmission,
- Using local data storage vs. cloud storage where possible.
In the next installment: Specific issues – payment, children, tracking.