Privacy Commissioner releases mobile app guidelines

The Office of the Australian Information Commissioner (OAIC) has released its mobile privacy guide for app developers, promoting a ‘privacy by design’ approach.

“It is ultimately in an app developer’s best interest to build strong privacy protections into their product,” Privacy Commissioner Timothy Pilgrim said.

“The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust and loyalty.”

The guidelines recommend app developers consider carrying out a privacy impact assessment for each app they develop; make the app’s privacy policy easy to find; use short form notices that are no longer than a single screen; tell users what will happen with their information in real time; and only collect personal information that is required for the app to function.

They also recommend app developers notify users about how an app collects personal information, and whether it is likely to disclose that information outside Australia.

The OAIC said nearly two thirds of Australians had chosen not to use a smartphone app because of concerns about how their personal information would be used. It hopes the guide will lead app developers to embed better privacy practices into their products, and to comply with Australian privacy law.

The guidelines are however voluntary, and in many cases refer to “best practice” rather than specifically recommending an action.

For example the guide recommends as “best practice” app developers allow users to opt in to the collection or use of their personal information, but recommends opt out if opt in is “not practicable.”

In many cases the guidlines defer to the incoming updated Privacy Act which applies to businesses with an annual turnover of more than $3 million.

The Privacy Act addresses the use of personal information, including location data, but the guide does not specifically advise against the use of location data.

It suggests developers avoid collecting information about a user's movements and activities through the use of integrated location and movement sensors unless it relates directly to the app and they have the user's informed consent. 

The Australian Communications Consumer Action Network said it hoped the guide would make it clearer to app developers who handle users' personal information that they’re subject to Australian privacy laws which, if breached, could lead to them having to change their app or paying compensation to affected users.

"It is a useful step in the right direction, however a number of ACCAN recommendations which would have significantly strengthened the document, were not included," ACCAN chief executive officer Teresa Corbin said.

"ACCAN wants to see a fair app market with appropriate consumer protections that allow developers to innovate but still provide a safety net for vulnerable consumers.

"Where the market fails to deliver fair outcomes for consumers, ACCAN will not hesitate to call for stronger measures."

A spokesperson for industry group the Australian Interactive Media Association did not respond to a request for comment in time for publication.

AIMIA had argued for the guidelines to be less prescriptive, and that the suggestion that users be prompted to accept or decline permissions each time an app is updated would make the user experience confusing, and distract from more important new privacy notices.