Data Protection and Data Security - Account Deletion within Apps Soon Mandatory

Data protection and data security are critical topics in today's digital landscape. No one wants to discover their private photos on unfamiliar websites or find their company secrets in the hands of competitors. Being well informed protects against fraud and helps prevent both financial and personal harm.

What Is the Difference Between Privacy and Data Security?

Data protection is a fundamental right afforded to every citizen. According to the Federal Commissioner for Data Protection and Information Security (BfDI), it guarantees protection against improper data processing, the right to informational self-determination, and the safeguarding of privacy. The focus is squarely on personal data.

What is and is not permitted under data protection law is governed by the German Federal Data Protection Act (BDSG) and the data protection laws of the individual German states.

Data security is neither a right nor a law. It encompasses measures designed to protect data against manipulation, loss, unauthorized access by third parties, and other threats. All data is affected, regardless of whether it contains personal information or not. Inadequate data security can become a serious problem for companies and individuals alike, particularly when it leads to data loss or the theft of trade secrets.

Concepts for Data Protection and Data Security

Fortunately, established concepts exist for protecting data. A key distinction is drawn between data protection concepts and data security concepts.

A data protection concept covers both digital and analog personal data. It describes and evaluates the information required under data protection law for the collection, use, and processing of personal data. In other words, it defines who has access to specific personal data, by what means, for what purpose, and to what extent.

A data security concept, on the other hand, combines elements of a data protection concept and an IT security concept with a maturity level. It covers all of a company's data, whether analog or digital, personal or non-personal. Its goal is to prevent unauthorized parties from accessing data in any form. The right cybersecurity framework is invaluable in this regard.

To verify the effectiveness of such a concept, penetration testing is employed. It uncovers vulnerabilities and gaps in digital data protection that must then be addressed.

Privacy and Data Security in Apps in General

Apps are also required to ensure data protection and disclose their data processing practices through a privacy statement that users must confirm. The Telemedia Act (TMG) and the German Federal Data Protection Act (BDSG) define the framework for such privacy statements in apps.

The BDSG imposes the following requirements on an app's privacy policy:

• Disclosure of the purpose behind data collection, storage, and/or processing.
• Information about the types of data collected by the app, including metadata, content data, and personal data.
• Information about the duration of data storage.
• Identification of which third parties have authorized access.
• A notice regarding the right of access, revocation, and data deletion.
• The designation of the responsible entity, including contact details.

Violations of these requirements are treated as administrative offenses. Anyone who publishes an app and provides inaccurate or incomplete information in the privacy policy faces substantial fines or even imprisonment.

Previous Data Protection in the Apple App Store and Google Play Store

Previously, it was often unclear before downloading an app what data it intended to collect and for what purposes. After downloading, users had to agree to the terms of use, yet even after reading them thoroughly, they were not always better informed. Apple caused an outcry among app developers when it announced plans to address this lack of transparency. Now Google is following suit with the Android Play Store, aiming to improve both data protection and user-friendliness.

Apple and the App Store

Privacy is now a top priority for Apple. Through its "App Privacy" section, the App Store already lets users review an app's privacy details before downloading. This means you can see at a glance what data the app collects. The privacy information is divided into three categories:

• Data used for tracking the user
• Data directly linked to the user
• Non-linked data

Tracking data is generated when a user browses web pages. The app or its operator uses this data to build a tracking profile, which third parties then leverage to serve targeted advertising.

Android and the Google Play Store

On the Android side, data protection is set to be strengthened as well: the Google Play Store plans to offer a similar format to Apple by Q2 2022. Going forward, users will also be able to see in the Play Store which data a selected app intends to collect before downloading it. The rollout is planned in stages.

In the first phase, by Q4 2021, all app developers must disclose which types of data they store and how. This includes location data, contacts, personal information, photos and videos, as well as audio and storage files. Additionally, by that deadline, providers must supply full details on how they use this data, such as whether it is required for app functionality and/or personalization.

Starting in Q1 2022, this and additional information about each app will be available in the Play Store, similar to Apple's privacy label. From Q2 2022 onward, these disclosures will be mandatory for all apps.

New for Data Protection and Data Security in the App Store: Mandatory Account Deletion

Mandatory account deletion is an entirely new requirement: if users are asked to create an account for an app, they must also be able to delete it. Specifically, providers must ensure that the account can be deleted directly from within the app.

This development is long overdue, especially considering that uninstalling an app does not necessarily remove the associated account.

Without account deletion, the connection to the app provider can persist even after the app is no longer in use -- yet without the user having access to their own account or personal data.

Consumers in Mind – The App Store Guidelines Could Be Pioneers Once Again

The new regulations make app usage significantly more transparent for consumers. It would be welcome if the Google Play Store and other app stores followed suit in the near future.

This innovation could also serve as a model for other areas of digital data protection. When it comes to data protection in the cloud, there is often a similar lack of clarity regarding app permissions. Many users are unaware of their own responsibilities when using cloud services. Clear disclosures like the "App Privacy" section in the App Store would provide real value here.

Conclusion – The New App Store Guidelines Are a Win for All App Users

The new App Store Guidelines put consumers first: they make it easier to maintain control over personal data. This is a welcome development that will hopefully extend to other areas of the digital world in the coming years. Greater security, transparency, and user satisfaction would benefit everyone.