Media Statements

Global Results of the Second International GPEN Privacy Sweep

(12 September 2014) The Office of the Privacy Commissioner for Personal Data ("PCPD") joined forces with 25 other privacy enforcement authorities from around the globe in announcing today the results of an international Privacy Sweep exercise ("Sweep") to assess privacy issues. This is the second Sweep coordinated by the Global Privacy Enforcement Network ("GPEN")¹ . The focus of the 2014 initiative was on the privacy practices of mobile applications ("apps"). The results of the Sweep offer some insight into the types of permissions some of the world’s most popular mobile apps are seeking and the extent to which organisations are informing consumers about their privacy practices.

The Sweep

The Sweep was conducted from 12 to 18 May 2014. In total, 1,211 apps were examined by all participating authorities included a mix of Apple and Android apps, free and paid apps, and public and private sector apps that ranged from games and health/fitness apps, to news and banking apps. The participants looked at the types of permissions apps were seeking, whether the permissions exceeded expectations based on the apps’ functionality, and most importantly, how the apps explained to consumers why they wanted the personal information and what they planned to do with it.

Common concerns

The 2014 Sweep highlights are:

• 75% of the Apps requested one or more permissions. The most commonly requested permissions included Location, Device ID, Access to Other Accounts, Camera and Contacts. This proportion of apps requesting permissions and the potential sensitivity of the data accessed highlights the importance of transparency in apps’ privacy practices.
• For 31% of the apps, sweepers were concerned that the requested permissions exceeded what they would expect based on their understanding of the apps’ functionality.
• 59% of apps raised concerns with respect to pre-installation privacy communications. Many apps provided little information prior to download about why the data was being collected or how it would be used, or only provided links to their websites with general privacy policies that were not tailored to the app itself. Several apps provided links to social media pages that did not work.
• 43% of the apps failed to tailor their privacy communications to a small smartphone screen and used small print and lengthy descriptions that required scrolling through multiple pages.

Best Practices

The participants also noted examples of best practices during the Sweep:

• 15% of apps provided a clear explanation of how they would collect, use and disclose personal information. The most privacy friendly apps offered brief, easy-to-understand explanations of what the app would and would not collect and use pursuant to each permission.
• Pop-ups, layered information and just-in-time notification were used to inform users of potential collections or uses of information when they were about to happen.

It is important to note that some highly popular apps in the e-marketplace were among those that received top ratings in transparency, demonstrating that when properly explained to consumers, the collection of information does not negatively impact on downloads.

Mr Allan Chiang, the Privacy Commissioner for Personal Data said, "Privacy has become an international issue in the Internet and mobile world, requiring an international response. The challenges are global, and the solutions need to be global as well. The PCPD has now become a formal member of the GPEN and I look forward to working with my international counterparts to strengthen personal privacy protections in this global context.”

“Mobile apps are ubiquitous and have transformed business operations and our lives”, Mr Chiang added. “The Sweep has brought the issue of mobile apps’ privacy transparency to the forefront. Clearly there is ample room for improvement. I encourage apps developers to embrace user privacy protection as part of the design of apps. This privacy by design approach is conducive to building user trust and gaining a competitive advantage in business.”

Details of the results of the Sweep with respect to local smartphone apps will be published separately by the PCPD at a later date.

Apps developers are encouraged to refer to the guidance provided by the PCPD athttp://www.pcpd.org.hk/english/resources_centre/publications/files/apps_developers_e.pdf when designing and developing apps.

Seminars are conducted by the PCPD on this subject; details are at
https://www.pcpd.org.hk/english/activities/promotion.html

General consumers may refer to the PCPD’s guidance at
http://www.pcpd.org.hk/english/resources_centre/publications/files/smartphones_smart_e.pdf to protect their information when using apps.