It’s been said before (in this space and elsewhere) that customer data privacy matters, customers are becoming increasingly aware of that, and are demanding better privacy protections and assurances that their personal data won’t get lost, stolen or abused.
When markets fail to address such thing, regulators inevitably step in. The catch is that in the era of Big Data, cloud-based services and a complex collection of service ecosystems, privacy itself is becoming a fragmented beast that could be as difficult for regulators to enforce as it could be for service and content providers to comply with.
Take for example a recently published report [PDF] from a European group of privacy regulators called Article 29 Working Party, which outlines the legal obligations of just about everyone in the mobile value chain – from developers and app storefront owners to OS and device makers – for collecting, processing and protecting user data under EU data protection laws.
Essentially, it’s complicated and messy, especially when it comes to apps, as this excerpt [via GigaOM] demonstrates:
“An app provides information about nearby restaurants. To be installed the app developer must seek consent. To access the geolocation data, the app developer must separately ask for consent, e.g. during installation or prior to accessing the geolocation. Specific means that the consent must be limited to the specific purpose of advising the user about nearby restaurants. The location data from the device may therefore only be accessed when the user is using the app for that purpose. The user’s consent to process geolocation data does not allow the app to continuously collect location data from the device. This further processing would require additional information and separate consent.
The challenge, reports GigaOM, isn’t so much creating workable regulations to cover those bases as actually enforcing them:
The creation and distribution of apps can involve many, many parties, with services interlinked in a way that’s hard to keep track of — especially since one of the fundamentals of EU data protection law is that the user is kept fully informed of what’s happening with their data, the likelihood of proper compliance breaks down on that point alone. That’s before we even get to the thorny issue of who is situated where and whether sending data to that location means breaking the rules, or how many opportunities for a security breach get opened up by having so many links in the chain.
And that’s just the EU. Imagine the situation in a heterogeneous region like Asia.
For all the industry grousing about clueless regulators at the moment, I do think there’s a role for regulation in privacy. With so much data out there being generated and harvested, companies need to take privacy seriously, and there has to be sufficient (albeit reasonable) consequences for handling it improperly.
But if the Article 29 Working Party paper is anything to go by, any given regulator tasked with creating a regime of privacy rules and enforcement in this fragmented and complex an environment has its work cut out for it.