Law Times

Page 12 January 21, 2013 Law Times • FOCUS Commissioners issue guidelines on mobile apps Regulators aim to instil privacy sensitivity among developers BY Julius Melnitzer For Law Times T he privacy guidelines for mobile applications issued jointly by the privacy commissioners of Canada, Alberta, and British Columbia in October 2012 may appear to some people as yet another layer of bureaucracy that hampers the innovative and entrepreneurial spirit. But businesses with their ears to the ground feel otherwise. "Studies suggest that up to 57 per cent of users have either dropped an app or avoided installing it because of privacy concerns," says David Elder of Stikeman Elliott LLP's Ottawa office. "So it's not just about legal requirements but also about the business reality that people are very suspicious and concerned regarding misuse of their personal information." To that end, the guidelines aim squarely at the heart of the problem. "The guidelines are directed at app developers and not just at those businesses trying to implement the apps," says Patrick Flaherty of Torys LLP's Toronto office. More specifically, the guidelines raise five key privacy considerations: the accountability of the developer; openness and transparency in the developer's privacy practices; collecting and keeping only the information needed to implement the app's purpose; obtaining meaningful consent on small screens; and the importance of timing as a component of consent. As it stands, very few applications give detailed and standalone descriptions of how the program will collect and use the data. 'We are already seeing a number of different systems featuring icons to call attention to privacy issues, particularly in social media platforms,' says David Elder. "The upshot is that the guidelines recommend an approach to app development that isn't widely followed in the industry," says Flaherty. "That's partly because many of the apps are developed in the U.S. where there's less sensitivity to privacy generally." The guidelines also recommend using graphics to make privacy policies more understandable. "We are already seeing a number of different systems featuring icons to call attention to privacy issues, particularly in social media platforms," says Elder. "In all likelihood, these icons will eventually become standardized." But upfront disclosure won't always be enough to constitute meaningful consent, particularly where an application seeks to collect more sensitive data. "There may be situations where consent is required each time the app wants to access certain information," says Elder. "Examples here include apps accessing contact or location CANADIAN LAW LIST 2013 YOUR INSTANT CONNECTION TO CANADA'S LEGAL NETWORK Inside you will find: • • Hardbound • Published February each year On subscription $154 • L88804-590 One-time purchase $170 • L88804-590 Prices subject to change without notice, to applicable taxes and shipping & handling. an up-to-date alphabetical listing of more than 58,000 barristers, solicitors and Quebec notaries, corporate counsel, law firms and judges in Canada; contact information for the Supreme Court of Canada, the Federal Court of Canada, Federal Cabinet Ministers, departments, boards, commissions and Crown corporations; • legal and government contact information related to each province for the Courts of Appeal, Supreme Courts, County and District Courts, Provincial Courts, law societies, law schools, Legal Aid, and other law-related offices of importance. MORE THAN A PHONE BOOK Visit carswell.com or call 1.800.387.5164 for a 30-day no-risk evaluation www.lawtimesnews.com information and apps that turn on the microphone or camera on a smartphone." In terms of accountability, the guidelines suggest developers establish privacy management programs that include making an individual or team responsible for privacy protections; establishing a privacy policy; and creating a description of the data collection and usage for comparison to the privacy policy. The commissioners also recommend developers use contracts and user agreements to bind third parties to an application's privacy requirements. Users should be able to locate the application's privacy policy and related information easily before embarking on any downloads. The related information should explain what the program will collect and why, where, and how long it will store the information as well as who can access it. In terms of limiting what applications collect, developers should allow users to opt out of unnecessary data collection; delete the information they provide; ensure that personal information is deleted when they remove the application; and implement safeguards such as encrypting the data collected. According to Flaherty, opt-in consent is reasonable when the collection of personal information is demonstrably necessary, the collection is an effective way to meet that goal, the loss of privacy is proportionate to the benefit gained, and less privacy-invasive measures aren't available. Flaherty adds, however, that opt-out consent may also be appropriate for secondary marketing purposes but only where the personal information is nonsensitive; the consent is limited and sharing is well-defined; the purpose is similarly limited, well-defined, and described clearly and in a timely fashion; and the user can easily, inexpensively, and immediately opt out or withdraw consent. Businesses collecting data should also be aware that Canada's anti-spam legislation amends the consent exceptions found in the Personal Information Protection and Electronic Documents Act, making them inapplicable to the collection or use of an electronic address collected "through the use of a computer program designed primarily for use in generating, searching for, and collecting electronic addresses." The provision, Flaherty says, targets computer programs designed to find electronic addresses or automatically generate a list of valid e-mail domains. "While these activities are not outrightly prohibited, they can be carried on only with the express consent of the owners of the electronic addresses," he explains. LT

• Cover