Hot on the trail of the FTC’s recent report on privacy, the GSMA, the London-based industry association representing over 800 cellular network operators worldwide, released its “high-level” Mobile Privacy Principles (the “Principles”) on January 27, 2011. The Principles were released with the goal of creating a “robust and effective framework for the protection of privacy” to promote users’ confidence and trust in mobile applications. These Principles encourage a “privacy by design” approach to mobile privacy and encourage a consistent and harmonized approach to privacy across mobile services and applications. Such Principles are highly relevant after the surge in mobile computing made possible by mobile devices, such as the iPhone, Blackberry, and Droid.
The two boldest aspects of the Principles are found in the definitions—namely, in how “personal information” is defined and in the broad responsibility of privacy espoused by the Principles.
The Principles define “personal information” extremely broadly, encompassing “any data” that is collected directly from a user, indirectly about a user, and about a user’s behavior, and any “user-generated data held on a user’s device.” As the Principles recognize, this definition of “personal information” is much broader than many national laws—including laws and regulations in the United States.
The Principles also state that “all responsible persons” are accountable for ensuring that the Principles are met – meaning the relevant service and application providers, mobile operators, handset manufacturers, and the operating system and software providers. Although it is commendable that the Principles recommend such broad responsibility for privacy, this approach may encourage a diffusion of responsibility and be ineffective.
In summary, the nine Principles are:
- Openness, Transparency and Notice – the Principles encourage “responsible persons” to be open and honest with users and to provide clear, prominent and timely data regarding privacy issues.
- Purpose and Use – the access, collection, sharing, disclosure, and further use of personal information should be limited to meeting legitimate business purposes.
- User Choice and Control – users should be given “meaningful choice” and control over their personal information.
- Data Minimization and Retention – only the minimum amount of personal information necessary to meet legitimate business purposes should be collected, and information should not be kept longer than necessary, and thereafter the information should be deleted or rendered anonymous.
- Respect User Rights – users should be provided with information about and an easy means to exercise their rights over the use of their personal information.
- Security – the Principles encourage “reasonable safeguards appropriate to the sensitivity of the information.”
- Education – users should be educated about privacy and security issues and ways to manage and protect their privacy.
- Children & Adolescents – the Principles merely recommend compliance with national law.
- Accountability & Enforcement – Consistent with the “privacy by design” approach, the Principles state that “all responsible persons” are accountable for ensuring compliance with the Principles.