mobile phones – Cyber Law Watch

SURVEY ON THE ECONOMICS ON PERSONAL DATA ON MOBILE APPS LAUNCHED BY FRANCE’S PRIVACY WATCHDOG

Jan 23 2023

By Claude-Étienne Armingaud, Camille Scarparo and Alexandra Séguis

This survey follows the CNIL’s announcement on 24 November 2022 that it aims at “better understanding the economic challenges associated with the collection and processing of personal data in mobile applications” as part of its 2022-2024 strategic plan.

The CNIL considered data collection via mobile applications greatly lacks transparency as opposed to cookies collection on websites.

The expected inputs are to be used for the purpose of drafting recommendations to be submitted to public consultation during the second semester of this year.

Concurrently to its ever-active enforcement of website cookie framework, the CNIL also recently started going after mobile applications for their use of personal data, often leverage as a primary source of revenue for free-to-play mobile games. The most recent example being the French mobile game publisher Voodoo SAS, with a fine of EUR3 million for breach of user consent for targeted ads on 29 December 2022. Indeed, the CNIL considered that even when users did not consent to the tracking for advertising purposes, Voodoo still accessed the IDFV (Apple’s “IDentifier For Vendors” (“IDFV”) – an identifier assigned to app operators, which facilitates targeted advertising) and processed browsing information for advertising purposes, constituting a violation of French privacy law and the GDPR.

The CNIL now calls for economic contributions from experts, interest groups, regulatory entities and experienced private individuals in the field. The call for contributions closes on 10 February 2023. Contributions can be submitted by completing a questionnaire and/or a written statement at the following email address: ecodesapplis@cnil.fr.

All contributions will be covered by professional secrecy and will be published in the form of a synthetic and aggregated report.

Hold the phone…is “metadata” personal information? Who knows?

Feb 12 2016

By Cameron Abbott, Simon McDonald and Meg Aitken

The ongoing debate surrounding what “metadata” actually is, and how it should be characterised under privacy laws has once again resurfaced. This time, the Federal Court will have a chance to decide on the issue, following a decision by the Privacy Commissioner to appeal a finding that denied a journalist access to metadata on the basis that it was not personal information.

Way back in 2013, a then technology journalist for Fairfax, Ben Grubb, asked Telstra to provide him with metadata and other information held by it in relation to his mobile phone on the basis that it constituted ‘personal information’ under the Privacy Act 1988 (Cth) (Privacy Act) and he was therefore entitled to it.

Telstra did provide some information to Mr Grubb (including his outgoing call records, bills and the customer details they had stored for him), however it submitted that the “metadata” produced from his mobile phone use on Telstra’s network was not personal information, as it was not linked to him in a way that made his identity apparent or reasonably ascertainable.

Unsatisfied with this answer, Mr Grubb lodged a complaint with the Privacy Commissioner. In May 2015, the Commissioner held that Telstra ‘cross-matched’ data across its mobile network in such a way that it was possible to determine a customer’s identity and that Telstra was therefore in breach on NPP 6.1 (as it then was) by refusing to provide Mr Grubb with access to his personal information.

Telstra appealed to the Administrative Appeals Tribunal of Australia (AATA). Taking a strangely narrow approach to the issue, Deputy President Forgie ruled that the mobile network data was not personal information for the purpose of the Privacy Act. Instead, she said that the metadata was actually information about the service provided by Telstra and the delivery of that service, rather than about Mr Grubb and his mobile phone use. On that basis, Telstra was not obliged to provide Mr Grubb with access to the information, despite it being generated directly from his use of Telstra’s services.

Seem contrary to the deliberately broad concept of personal information that is designed to protect individuals? We agree, and so does the Privacy Commissioner. ‘Stay on the line’ to see how the Federal Court approaches the issue.

Access the determination and reasons for determination of Privacy Commissioner Timothy Pilgrim in Ben Grubb and Telstra Corporation Limited [2015] AICmr 35 (1 May 2015) here.

Access the AATA decision of Deputy President S A Forgie in Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991 (18 December 2015) here.

Access the Office of the Australian Information Commissioner’s Press Release here.

Breaches Update – June 2015

Jun 20 2015

by Jim Bulling and Julia Baldi

U.S. Office of Personal Management Breach
The U.S.Government’s Office of Personal Management announced that its database has been subject to a cybersecurity breach. Hackers stole data relating to federal government employees dating back three decades and may effect more than four million people.

See the ABC report here and Forbes report here.

The OPM is offering affected individuals credit monitoring services and identity theft insurance. See the OPM announcement here.

Tag:mobile phones