14 Jul Privacy “nutrition labels”, transparency, and data protection as a corporate social responsibility
by Paolo Balboni – originally published on Paolo Balboni’s personal blog.
A few weeks ago Apple announced an important strategic step forward in the protection of the privacy and data protection rights of its users by way of an enhanced privacy feature that it has called a “Privacy Nutrition label”. Using icons in combination with clear and simple language, the information provided by way of Apple’s pop-up “label” is aimed to “help users understand an app’s privacy practices before they download the app” and “to learn about some of the data types an app may collect, and whether the information is used to track them or is linked to their identity or device.” While not a catch-all for privacy rights, this represents a significant shift towards transparency in the tech world and is a demonstration of Apple’s increased attentiveness towards privacy and data protection transparency and its commitment to behaving in a socially responsible way.
The announcement came at the Worldwide Developers Conference, where Apple user privacy manager Erik Neuenschwander virtually announced the new privacy labels that cover both “Data Linked to You” and “Data Used to Track You”, requiring app developers to self-report information on the personal data that their apps collect including financial information, browsing history, purchases, location data, and camera and microphone recordings, among others. Importantly, users will be required to opt-in to such permissions in order to allow apps access to the relevant data and to “track them across apps and websites owned by other companies” which according to Apple, includes the display of targeted advertisements in apps based on user data collected from apps and websites owned by other companies.
You can read more about the AppTrackingTransparency framework for requesting access to app-related data for tracking the user or the device on Apple’s Developer blog here.
Apple will still allow for the tracking of users in absence of their opt-in consent when user or device data from the app is linked to third-party data only on the user’s device and is therefore not sent from the device in a way that can identify the user or device, and when data shared with a data broker is used for the purposes of fraud detection and prevention, or security purposes on behalf of the developer.
The idea of the Privacy Nutrition Label is strongly aligned with what the Data Protection as a Corporate Social Responsibility Research Group at Maastricht University has called for in the development of its Framework,* requiring organizations to “Be transparent with citizens about the collection of their data” (Principle 2, DPCSR Framework), and more specifically, calling on them to implement such transparency and provide adequate information to data subjects before engaging in processing, (Principle 2, Rule 1: Before processing. The organization shall use icons (and sounds) for an easily visible, intelligible and clearly legible provision of information concerning the intended processing. Electronically presented icons should be machine-readable).
Transparency towards users about what data is collected and how it is used is intrinsically linked to both fairness and the principle of accountability under the GDPR. Promoting trust in processes which affect data subjects by allowing them to understand and potentially challenge those processes “Empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by, for example, providing or withdrawing informed consent and actioning their data subject rights.” (See the Art 29 WP Guidelines on Transparency).
It can be argued that what Apple is doing truly brings to life the fundamental concept of data protection by design, requiring app developers to proactively improve the transparency of the data processing activities carried out by their apps which Apple makes available for download from its store.
Environments such as apps, which trace and track users, and where massive amounts of data are collected, processed, and shared (often without the user’s awareness), present significant challenges for organizations both in terms of legal compliance and in terms of adherence to ethical, fundamental rights, and transparency-related principles, such as those established in the GDPR and the Charter of Fundamental Rights. It’s time to think outside of the box and go beyond what is enshrined in the law in order to effectively tackle these issues through the adoption of novel frameworks and/or the adoption of innovative transparency tools, of which the Apple Nutrition Label represents a recent example.
In short, I warmly welcome Apple’s announcement and look forward to seeing further potential implications of its decision to increase transparency of data processing in the app environment, which I hope will soon become an everyday reality in the provision of online products and services, also thanks to the adoption on the part of organizations of the forthcoming Maastricht Data Protection as Corporate Social Responsibility Framework.
*The concept of Data Protection as a Corporate Social Responsibility has been developed and promoted by myself at Maastricht University, after first having launched the idea on my blog in 2017. I am currently managing and supervising a mixed methodology research project with Stakeholder involvement at Maastricht University, which aims to develop a framework that “trigger[s] virtuous data protection competition between companies by creating an environment that identifies and promotes data protection as an asset which can be used to help companies to responsibly further their economic targets.” To learn more about the project, see the University’s dedicated webpage.