(15 December 2014) The Office of the Privacy Commissioner for Personal Data ("PCPD") conducted a survey1 of 60 popular mobile applications ("apps") developed by Hong Kong entities and found that their transparency in terms of privacy policy was clearly inadequate and there was no noticeable improvement compared with the results of a similar survey conducted in 2013.
2. This year's survey was part of the Global Privacy Enforcement Network ("GPEN") mobile Sweep exercise that took place in May this year. PCPD joined forces with 25 other privacy enforcement authorities around the globe to look at the privacy transparency and permission of apps2 .
3. The Privacy Commissioner for Personal Data, Mr Allan Chiang, commented, "Transparency is central to respecting the privacy of individuals and it is paramount that organisations develop transparent online privacy policies so that individuals understand how their personal data is handled in this virtual context."
4. "Admittedly, conveying privacy information to consumers can present unique challenges in the app world, where screens are small and users' attention can be intermittent. That said, compliance with the legal obligations under the Personal Data (Privacy) Ordinance (the "Ordinance") is a must. In any event, a customer-focussed organisation will appreciate that an app provides an interface between the organisation and potentially millions of customers, clients and users. Effective privacy communications can be rewarded with customer trust and loyalty: the cornerstone of business success."
The Survey Findings
5. The sweepers in the surveys in 2013 and 2014 assessed transparency based on the following key indicators: -
(a) Prior to installation, did the app provide privacy policy statements ("PPS") to explain clearly how it would collect, use and disclose personal data?
(b) Which permissions did the app request access to and did the app explain why?
The major problems identified were tabulated below.
6. First, only slightly more than half of the apps provided any form of PPS. Most of them were inadequate in terms of relevance, readability and accessibility. Without being meaningfully informed about the collection, use, and/or disclosure of their personal data, users are hampered in deciding whether to download the app.
7. Further, the sweepers in Hong Kong concluded in their subjective assessment that most of the apps seemed to have sought permissions for data access beyond what they expected based on the app's functionality.
| 2014 Survey(total = 60 apps) | 2013 Survey(total = 60 apps) | |
|---|---|---|
| Apps provided PPSs | 33 (55%) | 36 (60%) |
| PPSs that were tailored to apps | 5 out of 33 (15%) | 3 out of 36 (8%) |
| PPSs were written in language different from app3 or not easily accessible4 | 2 out of 33 (6%) | 4 out of 36 (11%) |
| At least one form of contact details (email, phone, address etc.) was provided | 60 out of 60 (100%) (but the identities of 5 app developers could not be directly ascertained from the contact information) | 36 out of 60 (60%) |
| 2014 Survey (Hong Kong)(total = 60 apps) | 2014 Sweep (Global)(total = 1,211) | |
|---|---|---|
| Unclear or missing information as regards whether data would be accessed, and if yes, what data and why | 43 (72%) | 715 (59%) |
| Permission of data access being sought went beyond user's expectation based on app's functionality5 | 51 (85%)(total = 60 apps) | 281 (31%) (total = 908) |
PCPD's Promotional and Enforcement Efforts
8. Mr Chiang further commented, "In view of the seriousness of the privacy issues identified in the surveys, we will continue to engage the app developers' community and the general public to ensure that they do take privacy seriously."
9. "The surveys were not intended to conclusively identify for specific apps compliance issues or possible contraventions of the requirements under the Ordinance. However, to deter proliferation of the malpractices, we will investigate into complaints and initiate compliance investigations, and take appropriate enforcement actions."
Privacy-friendly yet Popular Apps, such as the MyObservatory, are Viable
10. Despite the prevalence of disappointing privacy features, PCPD was impressed by the app MyObservatory6 as it featured an easily understandable PPS that addressed the concerns of users by articulating what data it would and would not access. Furthermore, the Android version facilitated users to allow or disallow location information to be read by the app, even though such permission had already been obtained at the time of app installation. This demonstrates that it is possible to develop an app that is popular, functional and privacy-friendly.
- End -
1 www.pcpd.org.hk/english/resources_centre/publications/surveys/files/sweep2014_e.pdf
2 www.pcpd.org.hk/english/infocentre/press_20140507.htm
3 For example, the interface of apps was in Chinese but the PPS was in English.
4 For example, the PPS was a 126-line long statement displayed in a tiny 8-line window on the developer's website.
5 For example, many games and finance apps needed access to locations and unique phone identifier; and some games needed access to the built-in microphone for recording
6 https://play.google.com/store/apps/details?id=hko.MyObservatory_v1_0&hl=en-GB