App-Makers – Watch Out for Privacy!

Yos Pang

Towards the end of last year The Straits Times reported that 90 per cent of mobile apps in Singapore (including those from banks, telcos, real estate agents and financial advisers) do not adequately comply with data protection laws in Singapore. The concern continues this year in another article in the Straits Times. This topic is important. In today’s online world, it is worrying to hear about such a high level of non-compliance.  In this post we look at the issues of non-compliance and provide our top tips to help app-makers in 2016.

Why are apps still not in compliance?

There are two key areas where apps are not in compliance:

  1. Lack of transparency: Apps are not providing app users with clear information about what data is collected and are not obtaining informed consent from app users.
  2. Data maximisation: Apps are collecting more data than they really need. It doesn’t take much of a leap to understand that if apps collect more data than they need, then there is more risk of apps misusing the data that they don’t need. Why else would you collect it?

The level of non-compliance quoted is surprising.  Apps are ubiquitous, all of us use apps and we all put our data onto apps on a daily basis.  It is even more surprising because the data protection laws in Singapore have been on the books since 2012 and have been in force since mid-2014.  In addition, the regulator (the PDPC) has published plenty of helpful guidance here.

So what if apps are non-compliant?

The PDPC has the ability to fine non-compliance (and in extreme cases there can be imprisonment).

As yet the PDPC has not fined a non-compliant app.  However, the PDPC has actively fined and investigated others for non-compliance e.g. Xiaomi, Tuition Agency, M1.   It can only take a few complaints to grab a regulator’s attention.

The unavoidable truth is that regulators will only become more interested in the online world, an important part of everyone’s daily lives.  There are regulatory changes in Singapore which show an increasing focus on technology: see our post on the newly created IMDA in Singapore.

But it’s not just about the legal risk.  Our firms’ position has always been that the data protection laws in Singapore represent good business and common sense.  It is not hard to comply with the laws’ requirements and organisations that do so are more likely to win the trust of their customers.

Our top tips for app-makers

There is no good excuse for non-compliance.  In fact, compliance is not difficult.  So, to get 2016 off on the right path, app-makers must (as a minimum) follow our top tips:

  1. Write out clear and easy-to-read privacy policy on what user information is collected and how it will be used;
  2. Make the privacy policy easily accessible from the app store/ the app download page and in (or from) the app itself;
  3. Obtain consent at the outset through acceptance of a privacy policy and contextual real-time notification (for example, when an app access the user’s location or address book);
  4. Allow users to exercise their rights over their data (e.g. to amend their data) through simple online access tools;
  5. If you are using data for direct marketing purposes, you must get up front, standalone consent and you must always provide an unsubscribe feature; and
  6. Set up robust security features to prevent data breaches.

For further information about “the law of the app”, please see my colleague Matt Pollins’s article on the topic here.

Yos Pang

With thanks to Matthew Hunter.

Leave a Reply

Your email address will not be published. Required fields are marked *