Analysis of Mobile Application's Compliance with the General Data Protection Regulation (GDPR)
Abstract
Users increasingly rely on their mobile applications to fulfill everyday activities. Processing of personal data through such tools poses a significant risk to the user's privacy and security. This stems mainly from the various sensors on the device, but also from the nature of it, because they are physically difficult to secure. As a result of this, implementing the General Data Protection Regulation (GDPR) into mobile applications may pose serious challenges.
This study focused on how pharmaceutical and dating applications process user's personal data and if they do so in compliance with the GDPR. We followed a design science methodology and evaluated each application using predefined test cases. Our study revealed instances of personal data stored unencrypted on the device. This included user's social security number and sensitive personal data, such as political opinion and religious belief. This type of data warrants special consent under the new regulation. It further revealed that multiple application does not allow users to opt-out of automatic individual decision-making for direct marketing purposes. Lastly, the study revealed applications that have been updated specifically for the GDPR.
The majority of the work for this study was conducted before the implementation date. It is therefore difficult to predict how Norway's supervisory authority will impose sanctions on infringements of the regulation. However, our study revealed infringements of provisions that are eligible for the administrative fines outlined by the GDPR.