Mobile apps are packed with our highly sensitive personal data. But new research by South African lawyer and lecturer Dusty-Lee Donnelly says privacy by design and other standard privacy protections for mobile app data (the consent model and regulations and compliance) just aren’t enough to protect our data privacy.
Donnelly says privacy byHow w design, the interdisciplinary, systems engineering approach based on seven key principles by Ann Cavoukian isn’t enough to protect personal data in mobile apps because the “design decisions made by app developers are constrained by existing technologies and platform rules designed by others.”
Instead, Donnelly endorses “privacy by (re)design, where all role-players in the ecosystem take privacy seriously and redesign existing platforms and technologies. But enforcing that approach will require tighter legal regulation of third party data sharing.”
Privacy by (re)design is another brainchild of Ann Cavoukian, described as a transformative process that gives organizations a standards-based framework for managing privacy projects.
Where privacy by design puts the onus on app developers to be proactive about data privacy, privacy by (re)design redesigns the “app ecosystem to address data sharing”, spreading the burden. Donnelly gives the example of how most apps transmit data directly to third parties, like Google and Facebook, but that privacy laws don’t adequately address this third party sharing which can leave app developers exposed to liability and users unprotected. Donnelly wants to “close the privacy loop” by making the parties who design the technologies and platforms on which mobile apps are built and marketed legally accountable.
We agree that app developers’ responsibility for “privacy by design” extends to what they create AND what they consume from an app ecosystem (analytics, advertising, etc). We see privacy by (re)design as a re-definition of where the boundary of responsibility for privacy design ends. The app publisher is ultimately responsible for the data they process, and “ignorance is no excuse.” In a perfect world, services with the potential for introducing privacy risk would be better regulated or regulations would make it easier for an app developer to make good privacy choices, but data is the new oil and perfect worlds rarely materialize.
The existence and success of MySudo is proof that privacy by design is not widespread enough to provide broad spectrum protection, and that privacy by (re)design is an indirect description of another gap for which MySudo helps you take back some control.