Author: Fouad Abdelrazek (LLD Candidate)
Research Group: Law, Technology and Design Thinking
 |
| Fouad Abdelrazek |
We are living in a rapidly digitalizing world. Due to the increase in computing power of mobile phones, and the exponential growth of smart mobile applications for various purposes,[1] people from all norms of life depend on mobile applications to assist them in daily tasks. Moreover, the easy download and installation of mobile applications and their flexibility to be used anywhere, at any time, has engaged people in their use.[2]
Albeit being generally handy, mobile applications cause a set of privacy and security concerns. Mobile applications can collect large quantities of personal information from their many sensors, including location, biometrics, and other sensitive data. This information, processed together with the records of users’ interaction with the web service, could also be used to build users’ profiles and pose risks to their fundamental rights.[3]
In a mobile application ecosystem, when data is collected about, or from, a mobile device, the personal nature of mobile device usage implies that such data has to be considered personal data in the context of the General Data Protection Regulations (GDPR).[4] Nevertheless, does that mean such data is automatically protected in practice, and there is no need to heed caution?
Our culture of convenience often leads us to think that all we need to do to delete our data from the application is to delete the application itself from the device. However, while the active elements may be uninstalled, that doesn’t always mean that the personal data we’ve uploaded using the application has been deleted. Even if a message appears to warn us that deleting the application will also delete the data, this usually only means that the data will be deleted from the device itself, but it still exists on the developer’s server.[5]
If the user decided to delete his personal data, he has to use his right to be forgotten (RTBF) which is stated in Article 17 of the GDPR. However, it is also important to note that the RTBF is not an absolute right, and it only applies in certain circumstances.[6] As a result, the mobile application user will face many obstacles regarding this right. It is important to highlight that individuals cannot have their personal data deleted when they need to use the application if the application requires the use of the individual’s personal data for its intended purpose. In other words, the user cannot use the mobile application without providing it access to the necessary personal data. Also, users cannot simply withdraw their consent to provide necessary personal data as long as they need to use this application. This is due to the fact that the application will not function unless the user accepts and gives permission to the application provider to gather their personal data.
So, in order to truly protect our data, we are left with the question, “to use, or not to use?”, and a controversial decision of whether to take it or leave it. Either you give permission to various service providers, and possibly third parties, to use your “necessary” personal data, or you do not use the application that you may require for an educational purpose, for transportation, or even as your only means of connection to friends and family in various countries.
Despite service providers receiving legitimate consent from the users and even if they are being transparent about the use of data, users are still not fully in control of their data or aware of the privacy issues they may face. And although users must be given the option to change their wishes and revoke their decision at any time [7], they usually will not if their need for using the application wins over their privacy concerns. Hence, the available privacy protection privileges will not deny the truth that the provider of the mobile application is using and processing the user’s personal data to make him able to use the application. Consequently, it is important to know whether the use of mobile applications controls us or whether we are in control of our own use of mobile applications
We will find that most of the people that are using mobile applications generally need more than one application in their routine lives. This need forces people to give consent to the mobile application provider to access and process their personal data to function, even if they have concerns or would otherwise be cautious to do so. Accordingly, the need to use mobile applications is the controller of this relationship. Thus, not necessarily the technology itself, but the need for the technology that controls our usage and provision of data.
Accordingly, this will impact the effectiveness of implementing the RTBF on the used mobile applications. Since the erasure of identified, or identifiable, personal data from the mobile application could lead to the inability to use this application, users may no longer want to do so. This will lead to inefficiency in the usage of an important right that was given to the users, especially since it gives them the power to control their data. Not only that, but it could make the RTBF regarding mobile applications out of service.
As a result, it is important to raise awareness of how precious our personal data is and how to protect it to push toward the development of more transparent mobile applications. Such applications should allow for their usage with minimal data collection, provide more precise and simplified information on the usage of personal data, and allow opting out of unnecessary data collection, thus giving more control to individuals and their rights.
References:
[1]
Islam, R., Islam, R., & Mazumder, T. (2010). Mobile
application and its global impact. International Journal of Engineering
& Technology (IJEST), 10(6), 72-78.
[2] Nathan, S. S.,
Hussain, A., & Hashim, N. L. (2016). Studies on deaf mobile application:
Need for functionalities and requirements. Journal of Telecommunication,
Electronic and Computer Engineering, 8(8), 47-50.
[3] European Data
Protection Supervisor (2016) “Guidelines on the protection of personal data
processed by mobile applications provided by European Union institutions”.
[4] Castelluccia, C.,
Guerses, S., Hansen, M., Hoepman, J. H., van Hoboken, J., & Vieira, B.
(2017). Privacy and data protection in mobile applications: A study on the app
development ecosystem and the technical implementation of GDPR.
[5] Peters, B. What Happens to Your Personal Data after Deleting an App. https://techspective.net/2020/12/01/what-happens-to-your-personal-data-after-deleting-an-app/
[6] Information Commissioner’s Office (2018). Guide to the general data protection regulation (GDPR). Right to erasure. Retrieved from: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
[7] European Data Protection Supervisor (2016) “Guidelines on the protection of personal data processed by mobile applications provided by European Union institutions”.