The world is digitising, making it crucial for people to understand how to manage their online data. Given their influential position as gatekeepers, app stores play a significant role in data protection. They determine who can access an app and provide users with app information. Julia Krämer, PhD candidate at Erasmus School of Law, was a guest on the podcast The Digital Period, a podcast series hosted by legal philosopher Judith Blijden. In the episode titled “Values and Technology”, Krämer discusses the crucial role of app stores in ensuring data protection compliance for apps and how app users can better equip themselves to protect their data.
Krämer's research project is part of the Sector Plan 'Balancing Public and Private Interests' and 'Empirical Legal Studies,' for which she applied with her research proposal. During her master's program, she began researching data protection legislation, focusing on how the General Data Protection Regulation (GDPR) in 2018 affected the privacy policies of websites. "However, I started to be more concerned with mobile apps, as the data apps may collect may be more sensitive data than the data we are revealing when browsing on our computers." In addition to her studies, Krämer worked as a research assistant at the Leibniz Centre of European Economic Research, where she learned to program. She utilises this skill in her doctoral research.
Data protection within the EU
Krämer explains that the European Union has many rules governing how apps may collect or process data. "In reality, however, compliance with these rules lacks for a variety of reasons." Krämer notes that smaller developer teams may not be well acquainted with European privacy laws. She also points out that enforcing data protection legislation can be challenging for entities without a presence within the EU. "Therefore, the role of mobile app stores is crucial, as they essentially function as 'privacy regulators,' setting the rules that govern the inclusion or exclusion of apps within the stores and, consequently, determining which apps are accessible to users. In my research, I am exploring this role by exploring how app stores impact data protection compliance in apps. For this reason, I collect privacy information about millions of apps, such as their privacy policies, which I analyse according to their compliance."
A critical look at developments
Krämer notes a current shift in how people approach privacy protection. She indicates that privacy is transitioning from an inconvenience to a value users actively want to protect. "Companies are recognising this shift and are strategically positioning themselves as privacy-centric to appeal to increasingly privacy-conscious consumers, as seen by recent marketing campaigns from firms like Apple."
Krämer highlights various company initiatives, such as Apple Tracking Transparency, which makes user consent mandatory before apps can track them, or the Google Privacy Sandbox, aiming to phase out third-party cookies on Chrome by 2024. Both app stores have also introduced privacy labels, providing information about app data collection using images. "However, it is essential to critically evaluate these changes. Such initiatives are driven by powerful private entities, with Apple and Google taking the lead, which can dictate the terms of the new features, which has raised attention by competition authorities in the EU. While it is welcome that privacy receives more attention, it is crucial for EU and national regulators ensure that these initiatives are not merely serving the interests of individual companies but genuinely safeguarding broader privacy and data protection principles."
Responsibility for online privacy
When asked about people's handling of their online privacy, Krämer says, "I find it worrying that many people are unaware of the consequences of online tracking." Krämer provides examples of targeted shopping ads that can easily tempt users to buy unnecessary items or even political ads that can directly impact democratic values. "However, I do not believe that the responsibility here should lie with the user, as we see that this does not work."
Krämer appreciates the new initiative of the Apple App Store and the Google Play Store to inform users with images on an app's page before installation. "However, the design of the label is questionable, as it does not inform users about Apple's and Google's own tracking practices. Luckily, civil society organisations and academic scholars have undertaken initiatives to empower users." Examples include the Exodus Privacy Project and TrackerControl.org.
These initiatives make it easier for users to understand the scope and content of trackers used by an app.
"Which stakeholder - user, app developer, app store or EU regulators - should bear most responsibility for privacy compliance within apps is something I am further exploring in my research, and I hope I will have an answer soon!"
The episode Values and Technology, in which Krämer speaks, can be listened to on the podcast channel 'The Digital Period' on Spotify.
- PhD student