Commentary

App-makers, heed personal data protection law

My repertoire when it comes to using smartphone apps comprises only a few must-have functions: chat, search, directions, taxi booking, newspapers and photos.

I seldom venture beyond these utility apps, or download games and content-streaming apps. I have many reasons not to do so, including an obsession with protecting my data privacy.

It could be an occupational hazard. The more I cover news on data privacy and security breaches, the less I'm inclined to download.

There has been a stream of such news. A recent scare occurred in September last year when news broke that malicious code had found a way into some of Apple's popular Chinese mobile apps. More than 300 apps, including popular messaging service WeChat and cab-booking service Didi Kuaidi, were infected with the malware, which potentially allows the tracking of user data.

App developers should state clearly within the privacy policy on the app download page what user information is collected and how it will be used. Singapore's Personal Data Protection Act, implemented fully in July 2014, requires such clarity, which is not followed, according to the findings. The law applies to app developers based in Singapore.

Apple has since removed the infected apps, which could have been downloaded by users here.

Another news report surfaced on privacy threats closer to home.

The Straits Times reported in November that 90 per cent of mobile apps in Singapore - including those from banks, telcos, real estate agents and financial advisers - do not adequately declare what consumer data is collected or how it is used.

Yet, more than half of the mobile apps that people download seek access to swathes of sensitive information, such as users' online and social media identities and location. Apps from real estate agents and financial advisers even seek access to microphone and camera functions.

The findings came from a study by local data protection software-makers Straits Interactive and Appknox, which surveyed the privacy policies of 113 popular apps from the Singapore Google Play store.

App developers should state clearly within the privacy policy on the app download page what user information is collected and how it will be used. Singapore's Personal Data Protection Act, implemented fully in July 2014, requires such clarity, which is not followed, according to the findings.

The law applies to app developers based in Singapore.

The law also prohibits local organisations from collecting consumer data beyond what is "reasonable". But the level of compliance does not appear to be high on this front too, according to the study.

For instance, a calendar app was found to have asked for access to users' location and photos in what seems to be excessive data collection.

I believe that app developers' ignorance could have contributed to the lack of a clear privacy policy, and the prevalence of apps that collect excessive user data.

Clearly, app developers need to pay more attention to the law. It takes just one consumer complaint against one rogue app-maker for the privacy watchdog to come cracking down on errant ways.

Most users would appreciate being informed about how their personal data would be used.

App-makers should also, as a best practice, give consumers the choice to turn on or off any privacy-related feature within the app, such as location tracking and access to photos.

Consumers can also do their part by reporting to Singapore's privacy watchdog, the Personal Data Protection Commission, when they come across any excessive data collection and lack of clarity on how their data would be used.

A version of this article appeared in the print edition of The Straits Times on January 06, 2016, with the headline 'App-makers, heed personal data protection law'. Print Edition | Subscribe