A new feature is mandatory account deletion: If users are asked to set up an account for an app, it must also be possible to delete it.
Privacy and data security are important topics. No one wants to find their private photos on any websites or know their company secrets in the hands of the competition. Knowing your way around protects against fraud and prevents financial as well as personal damage.
Data protection is a right that every citizen has. It guarantees according to the Federal Commissioner for Data Protection and Information Security (BfDI): "Every citizen protection against improper data processing, the right to informational self-determination and the protection of privacy." The focus is thus on personal data.
What is and is not permitted under data protection law is regulated by the German Federal Data Protection Act (BDSG) and the data protection laws of the German states.
Data security is neither a right nor a law. Data security includes measures to protect data against manipulation, loss, unauthorized access by third parties or other threats. All data is affected, regardless of whether it has a personal reference or not. Inadequate data security can become a problem for companies and private individuals alike. Namely, if this results in data loss or even if company secrets are stolen.
Fortunately, there are concepts to protect data. A distinction is made between data protection and data security concepts.
A data protection concept relates to both digital and analog personal data. It describes and assesses the information required under data protection law for the collection, use and processing of personal data. In other words, it establishes who has access to certain personal data, how, for what reason and to what extent.
A data security concept, on the other hand, is a mixture of a data protection concept and an IT security concept with the maturity level. It concerns all private data or all data of a company - whether analog or digital, whether personal or not. It is intended to prevent unauthorized persons from accessing data in any form. The right cybersecurity framework is a great help here.
To check the security of such a concept, Penetration Testing is used. It reveals vulnerabilities and gaps in digital data protection, which then need to be closed.
Apps must also provide data protection and announce data processing with a statement that users must first confirm. The Telemedia Act (TMG) and the German Federal Data Protection Act (BDSG) provide the framework for such privacy statements in apps.
Privacy is now a big priority for Apple. In its view for "app privacy", the Apple Store already allows a look at the privacy information of the app before downloading. This means that the user can get an overview of what data the app is interested in before downloading. The privacy information is divided into three areas:
Tracking data is the data that is generated when a user views web pages. The app or its operator uses this data to create a tracking profile. This is used by third parties to display advertising tailored to the user.
On Android, privacy is to be strengthened: So the Google Play Store for Android wants to follow suit and offer a similar format to Apple by Q2 2022. In the future, users should also know in the Play Store before downloading which data the selected app wants to collect. The development will take place step by step.
Initially - that is, by Q4 2021 - all app developers will have to specify which types of data they store and how. This includes location, contacts, personal information, photos and videos, audio and storage files. In addition, by that date, vendors should provide all information about how they use that data. That is, whether it is necessary for app functionality and/or personalization, for example.
From the 1st quarter of 2022, this and other information about an app should then be available in the Play Store. Similar to Apple with its privacy label. From Q2 2022, the information should then be mandatory for all apps.
The mandatory account deletion is completely new: If users are requested to set up an account for an app, it must also be possible to delete it. More precisely, providers must ensure that they can delete the account from within the app.
This development is long overdue. Especially when you consider that deleting an app does not necessarily mean the account disappears.
After all, without deleting the account, the connection to the app-developing company can continue even without using the app. However, without having access to the own account and thus to the own data.
Consumers in mind - the App Store Guidelines could be a pioneer here again
The new regulations make things easier for consumers with regard to app use. It is also desirable that the Google Play Store and other app stores follow suit soon.
The innovation could also be a model for other areas of digital data protection. When it comes to data protection in the cloud, there is often similar uncertainty as with the powers of apps. Users are often unaware of their own responsibility in cloud use. Clear information such as that provided for "app data protection" in the App Store would be a good service here.
The new App Store Guidelines have the consumer in mind: They make it easier for them to maintain control over their data. This is a positive development that will hopefully rub off on other areas of the digital world in the coming years. This would be immensely beneficial for more security, transparency, and thus user satisfaction.