Apple boots out apps that abuse location data collection

There are only two weeks to go before the European Union’s General Data Protection Regulation (GDPR) officially lands, on 25 May. Surely companies have all their data protection ducks in a row by now, one imagines…?

Or not. Or, at least, over at Apple, there’s still work being done to ensure that customers’ data is on extra strong lock-down, according to 9to5mac.

Namely, Apple is reportedly looking beyond its own data privacy/security toward that of its developers. Specifically, it’s been cracking down on those developers whose apps share location data, kicking them off the App Store until they cut out any code, frameworks or Software Development Kits (SDKs) that are in violation of Apple’s location data policies.

9to5mac has seen several cases of Apple having emailed developers to let them know that, “upon re-evaluation,” their applications are in violation of sections 5.1.1 and 5.1.2 of the App Store Review Guidelines. Those sections pertain to data collection, storage, use and sharing, as well as to letting people know what type of data an app requests (including location data).

One Twitter user sent out a screen capture of the notice he got:

9to5mac says that in the instances it’s seen, apps aren’t doing enough to let users know what’s happening with their data. Apple doesn’t want developers to just ask for permission – it’s telling them to explain what the data’s used for and how it’s shared.

If it’s to improve user experience, that’s OK. Otherwise, the apps are getting yanked.

You may not use or transmit someone’s personal data without first obtaining their permission and providing access to information about how and where the data will be used.

Data collected from apps may not be used or shared with third parties for purposes unrelated to improving the user experience or software/hardware performance connected to the app’s functionality.

Good for Apple for doing this type of due diligence on its developers.

You don’t have to look far to find instances where location data has been used in surveillance scenarios in which the information of scads of unintended targets gets caught up in dragnets. One of the most notorious such dragnets was revealed by Edward Snowden, when he released documents that showed that the National Security Agency (NSA) was collecting and storing data in a vast database that contained the locations of at least hundreds of millions of devices.

A more recent case, from November, was when Androids were caught secretly reporting location data regardless of opt-out.

The location data was never used, a Google spokesperson said, and therefore was never stored. Google was “taking steps to end the practice,” the spokesperson said at the time, “at least as part of this particular service.” Google didn’t say whether there were other Android services that do this.

What, exactly, is going to happen to companies that make this type of D’oh! mistake after the 25 May GDPR deadline?

The penalties could be huge: any business found not in compliance after that date could find itself hit with fines up to €20m or 4% of an organization’s annual global turnover.

If you have any question about your own business’s compliance, you might want to have a peek at the Sophos GDPR compliance check for peace of mind.