In 21st century life where we spend so much of our working and recreational time online, our data has exponentially value to bad actors. Cyberattacks are more frequent and especially after the pandemic, during which more and more high-level services have moved online, our data is more vulnerable than ever.
As the number of people globally online continues to grow each day — currently statistics from Statista show that there are on average of 5.16 billion internet users worldwide or equivalent to nearly 65 percent of earth’s citizens — and no matter where in the world we each live or are temporarily located, our data can be compromised. Whether this is by our own poor digital hygiene or forced access via hacking or phishing, our data can be used to impersonate us or to undertake all-out identity theft, for financial exploitation, for blackmail, and even to break into our homes and vehicles. Without exaggeration, when personal and professional data is breached, the extent of threats and consequences is now somewhat inexhaustible.
Why data protection laws are so important in 2023 for mobile app development and more
In response to both a more connected world and the seemingly inexhaustible number of cyberattacks, governments are now working overtime to get their cybersecurity and data protection policies up to date. From government departments devoted to cyber threats and events like Senate hearings investigating Facebook’s (now Meta) user data distribution for political campaigns, a huge proportion of the efforts to protect people on the internet is now being focused on the technology companies that actually facilitate the infrastructure of the internet as we know it. Referencing one of the frontrunners of this policy, the economic and political 27-country European Union, Tech company Trend Micro say that, “Companies are no longer just required to announce that their systems have been breached but also pay fines that can reach up to 4 percent of their annual turnover should they deal with the data belonging to European Union (EU) citizens in accordance with the General Data Protection Regulation (GDPR) requirements.”
The EU’s GDPR reflects what has now basically become a blueprint for the global standard in data protection laws. In a globalized world, even after the events of Covid-19 led to so many nation states turning inward, data privacy is essentially now part of consistently working against global crime. This is because cybersecurity has a transcontinental impact with countless real world, cross-border implications. According to Interpol the spoils of cybercrime contribute to a substantial number of the most destabilizing, illegal, and dangerous global issues that impact everyone particularly abuse, trafficking, and assault of minors and vulnerable people, financial crime, and international terrorism. Interpol explains further that this can all contribute to political, economic, and social instability that impacts individuals and communities degrading trust, damaging public and private service providers who operate both offline and online, and, “ratchet up tensions between nations” as governments and critical infrastructure experience more frequent and sustained cyberattacks. Moreover, the World Economic Forum projects that cybercrime could cost the global economy $10.5 trillion USD annually by 2025 that they say is, “deepening geopolitical tensions have increased the prevalence of so-called advanced persistent threats (APTs), which are becoming as sophisticated as they are pervasive.”
When we consider the fact that over half of the world’s population is connected to the internet in some form and that more than half of these users now opt to access the internet via a mobile device, which excludes tablet users, there is added security pressure on mobile app developers. Understanding and adhering to data protection laws during the development of mobile applications is a constantly fluctuating technical and legalistic responsibility as policymakers struggle to keep up with the multiplying and diversifying nature of cybercrime. This is why we are focusing on this topic in this blog to discuss the implications for mobile app developers and to help with understanding how to approach this as users as well as when working with or setting out to hire a mobile app development company.
In this article, we are going to review what this means as we walk through the following points:
- Where data protection laws are at in 2023
- What mobile app developers should know about data protection laws
- What happens with mobile app developments where users move between regions using the application
- What are the main challenges facing all mobile app development companies working to protect user data in an age of cyberthreats and cybercrime
- How mobile app users protect themselves beyond the cybersecurity infrastructure in mobile app development
Where data protection laws are at in 2023
To commence our discussion, let us review the status of global data protection laws right now. As already touched upon, cybercrime causes damage the world over. At present, there is no global standard for data protection despite data breaches and cyberattacks happening across borders with no discretion for regional laws. “Until global rules are strengthened and reporting of breaches is mandatory across most sectors, it will be impossible to understand the true magnitude of the challenge, much less develop targeted solutions,” says the World Economic Forum in their call for a united response amongst all nation states and unions as part of their 2023 Global Risk Report, “These problems are compounded by a scarcity of security experts, poor reporting habits and a lack of global agreements about how to regulate cyber threats.”
The global standards from the data protection laws that indicate what could inform the precedent for a worldwide policy are:
- The EU’s General Data Protection Regulation
- The state of California’s California Consumer Privacy Act (CCPA)
- The Asia-Pacific Economic Cooperation (APEC)
- The EU-U.S. Data Privacy Framework (EU-US DPF)
On the horizon are:
- The Indian Digital Personal Data Protection Bill
- The Canadian Digital Charter Implementation Act, Bill C-27
- The EU Digital Markets Act
- S. State Acts — Colorado, Connecticut, Utah, and Virginia to introduce GDPR-style bills
Many of these laws do run fairly parallel to GDPR and this is because the foundation for the EU’s policy is based on the German state of Hesse’s 1970 data protection laws that were the very first in the world — well before the Internet and World Wide Web era that is so normalized for us now. What is true is that even now, in 2023, a European-derived data protection policy framework informs how we think about and how governments work to look after their citizen’s rights in terms of:
- Access
- Correction
- Portability
- Erasure
- Consent
- Appeal
- Design Process for Data Storage
Mobile app development takes up, as already touched on, a significant proportion of the technology market. Delving into what mobile app developers should know about data protection laws, there are two aspects to have comprehension about: individual user data protection and intellectual property rights including copyright. In their analytical guide, the World Intellectual Property Organization (WIPO) who are experts in this area explicate why apps, by their very nature in how they frequently create user databases, are subject to the laws of the jurisdiction where development occurs and also the jurisdiction of the region where the app will be used. WIPO’s Guide to Data Protection in Mobile Applications describes that, “Using such code and algorithms to process the personal data of individual people – whether users of the app or not – means that app providers/developers must have some understanding of the rights these individuals have under data protection law, and how these rights may interact or conflict with their own or third party IP rights.”
For mobile app developers and the companies behind the application being developed, accurate and detail-oriented incorporation of data protection laws needs to happen. WIPO emphasize, “Data protection compliance is an important legal issue in its own right and should be considered at the start of the app development process, as the consequences of noncompliance may include high administrative fines and/or criminal penalties.” For the most part, the legislative data protection baseline for a globally-distributed app is likely to be GDPR as these are still the most tightly controlled and policed regulations in the world. GDPR lays out a series of key principles to govern data protection for “data subjects” (GDPR nomenclature for “individuals”) in the development process writes Fredric D. Bellamy for Reuters that consist of:
- Privacy or data protection by design
- Record-keeping
- Data minimization
- Transparency, informed consent, and legitimate uses
- Data protection officers and data impact protection assessments
- Best cybersecurity practices
- Data breach notifications
- Employee training
- Requiring appropriate contractual language
These principles for mobile app developers are intended for use for applications that will be used in the EU with scope for utilization in the development process for U.S.-based developers and many other countries, too. It is crucial to note here that though there is no official global data protection standard for mobile app development, the EU’s GDPR articles are the world’s strictest at present and though other countries and regions are designing their privacy and data protection acts with GDPR-like principles, they don’t necessarily have the exact same requirements based on both differences in express requirements in legislative requirements or because the region has other laws that preclude new legislation. What this means for mobile app developers is an understanding of the global standard of data protection, that is generally agreed to be GDPR, and then to adhere to the laws of the region where the app will be used, which we will discuss more in the next part of article.
What happens with mobile app developments where users move between regions using the application
The logical question to now ask is what happens with data protection for apps with a target user market across multiple legislative regions. How does this affect developers and what do they need to do to adhere to data protection acts without negatively impacting all stakeholders? Regulatory compliance is very complicated, as we’ve already addressed, and it’s only gotten more complicated in the last five years since GDPR was introduced in 2018. Some thought leaders, like Ameesh Divatia writing for VentureBeat, even argue that for mobile app developers and tech companies this era of data protection legislation has led to the following discourse playing out in the industry: Divatia shares, “What is notable is how the focus of these conversations has shifted from “What can you tell me about compliance?” to “What should we be doing to avoid fines?”
In the case of developing apps for users in all different compliance regions, the number one thing developers and the application development companies need to do is incorporate the data protection laws in place for each region. This is obviously a labor-intensive undertaking and yet it has a multi-layered benefit of protecting users while also avoiding fines. At this point there is no precise blueprint for how to do this — and Divatia quotes business leaders on the inherent complexity of this task that it is like “trying to satisfy each law is akin to walking in the rain without getting wet”. The takeaway for all players with skin in this game is, on a project level, to review development processes every time work begins with a client to check all relevant versions of legislation are clearly understood and, on a business level, to allocate resources for regular reviews and analysis of relevant legislation across all regions of operations and application deployments.
What are the main challenges facing all mobile app development companies working to protect user data in an age of cyberthreats and cybercrime
There is understandably a considerable amount of pressure on mobile app developers in light of both the seriousness and value of the personal and professional data their products handle then because of the crackdown on punishment on companies whose products fail to protect user data.
In 2023, the predominant challenges app development companies face when working to uphold data protection legislation are:
-
- Staying up-to-date with legislation — As discussed, this legislation is constantly evolving and subject to a range of legalistic clauses, terms that can affect app functionality, and, how to develop an application that works for a broad target market with absolute compliance to a range of legislation. This is an ongoing challenge for developers who don’t necessarily have legal expertise and are working to achieve a client’s vision to a development schedule.
- Harmony between consumer privacy and data protection laws on state and global levels — We’ve covered that there is now international consensus on a global data protection and consumer privacy act; this impacts consumers and businesses alike that, in a changing situation and with economic downturn, are all experiencing great stress in their everyday personal and working lives. This in turns puts significantly more pressure on developers who are trying to engineer apps that help businesses and deliver solutions to users.
- Cloud versus local storage of user data — The tension between the most secure databases for apps is most profound here because cloud servers are more robust yet cloud data breaches are common whereas local storage can be more secure but apps won’t perform as well. To deliver a high-quality app, developers will opt for cloud storage but there’s added pressure then to have an exceptional standard of database security that might have it’s own barriers to implementation that aren’t tied to developer competencies at all.
- User education and digital hygiene for data privacy — Following on from the database question, user errors most commonly result in data breaches. Getting digital hygiene ticking over with a knowledgable, proactive user group and vigilance in all online activities is what will have a positive return for all stakeholders including developers who can only do so much if a user is reckless with their own data and accounts.
- Changing legislation that affects data privacy in indirect ways — 2022 was a year where the U.S. Supreme Court made historic changes to their privacy laws that may affect data privacy across all apps and in fact all technology. If this precedent is upheld, this may change how developers both in the U.S. and International develop apps for these markets as they may need to have a comprehensive understanding of data protection and privacy legislation; with the rise in mHealth apps this is a pressing challenge for developers all over the world.
How mobile app users protect themselves beyond the cybersecurity infrastructure in mobile app development
Mobile app developers must uphold all data protection laws in the mobile app development process but how can users play a role in this, too? After all, even with the most secure application there is still an accountability on the part of the user to keep their identity safe and exercise best practice digital hygiene steps for their own cyber health. Below are eight points for increasing the likelihood of a properly secured app through enhanced user diligence, tools, and systems:
1. Phone model choice
Though one phone brand isn’t more secure than another, Apple devices traditionally have greater security built into their interface design than non-Apple devices. It is generally harder to hack the Apple iOS which gives users increased protection against data breaches though it doesn’t eliminate the risk completely.
2. Virtual Private Network (VPN)
Switching on a VPN before connecting the internet is another step for users to obscure their internet activity by encrypting their traffic and hiding their location. This should be used both on private and public networks and is an invaluable habit to protect personal identity.
3. Password manager
The number one way most people experience a data breach is through poor password security. Weak passwords catch people out time and time again in scenarios from poor professional credentials to making it way too easy for a hacker to access home networks. Password managers simplify the headache of creating high-level passwords, updating them, and keeping them organized all of which tend to be excuses people make for not using better passwords. Paying for a password manager from the range of services available is a sound administrative and security step.
4. Internet of Things (IoT) devices
There are now billions of IoT devices in the world and many cybercriminals are using them as a backdoor to home and work networks due to their weak security infrastructure. People tend to connect them to their networks without thinking which leaves their data, their homes, their cars, and their identities open to attacks. Though these are ‘smart’ devices it’s even wiser to take the intelligent step of using complex passwords with each device in conjunction with other digital hygiene steps.
5. Social media privacy
People are in the habit of putting their personal lives and information out to the whole wide world for the taking on their preferred social channels. If people want to continue using these accounts, they should overhaul their security settings with strong passwords, eliminate their recognizable information, images and videos, and remove authentication details from their accounts. In the long run, social media accounts should only be open to people they know personally.
6. Check personal information available online
Auditing personal information that could be used to access accounts and impersonate them is another way users can clean up the loose details that lead to identity theft. Deciding exactly what people want to be publicly available about them is part of making explicit decisions about personal safety in a digital world. Checking to see what photos are out there, if it’s ever been disclosed where someone lives, and where they work are all ways people can evaluate their safety.
7. Change email providers that use data servers
Data is part of what makes everyone vulnerable and free, email services could be compromised so effortlessly on the part of a hacker. Paying for an email service removes the value exchange of user data being stored with a free company even if the information seems innocuous, in the wrong hands it could be used to blackmail people or even impersonate them and steal from them. Just as with a password manager, the paid service is part of investing in security, administrative freedom, and being decisive about how personal safety is prioritized in all areas of life.
8. Consider using local storage rather than cloud storage
Cloud storage can also be breached so using local storage, such as a password-protected computer or password-protected external hard drive can reduce the risk of sensitive details falling into the wrong hands via hacking. Recent data breaches of private and public organizations, even government departments, shows that no cloud databases are impenetrable. This is another investment for people to make however it can also help resolve any existing storage issues of compromised files and identify any data silos that are lying unprotected in different accounts online or on home networks.
Conclusion
Getting data protection law application right is a high-level responsibility for all internal stakeholders involved in mobile app development: the mobile app developers, the company a client hires for the application development (including the production process, deployment, and maintenance), and, the owner of the app. There are, as we have investigated and explored here, serious damages that can be caused of both a short-term and long-term nature if data privacy policies are not understood, applied, and consistently upheld. This, of course, has risks for the user’s personal security, while also affecting:
- Trust of the brand behind the application
- Ethical standards for operating online
- Vulnerable third-parties who can also be exploited in a chain-reaction
Strategies for understanding, applying, and upholding these laws need to be central to the development process of all mobile app developers and all technology companies, with an operational standard for staying on top of these consistently to ensure compliance. This is an ethical, operational, security, and technical obligation that is ultimately a non-negotiable of business both now and, without question, in the years ahead. Asking questions of developers, discussing this among teams, and empowering individuals to manage their own personal cybersecurity are all part of a dynamic approach to data protection and deterring cybercrime.
Though the future may be different, with more robust software and hardware infrastructure that substantiates an impenetrable standard of cyber-protection, for now understanding both threats and policies is the baseline of continuing to work and play online. Furthermore, what is ahead in data protection remains to be seen with the United Nations in working on a cybercrime treaty that was first agreed to in 2019 with the first meeting held in 2022 — the World Economic Forum’s most recent update on this states that, “For now, states are negotiating over the parameters of a treaty – called the Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes – with most western governments determined that it upholds individual data protection and privacy rights” — meaning the legal parameters of this kind of legislation is likely to change dramatically by the end of this decade.