Since early 2021, the App Store requires developers to indicate what data their applications collect from users.
Whether it's a selfless drive for transparency or Apple's crushing of the competition, the outcome for iPhone and iPad owners is proving to be beneficial. In an age when personal data is worth more than it's weight in gold, it is essential to be aware of the data collected by applications.
Of course, this does not suit the developers, who would do well to display all the information they record about their users. It is for this reason that Google, for example, is slow to update its apps since the new reform of Apple. In mid-February, the tech giant ended up updating YouTube on iOS, then Gmail on February 24, and other applications in the Google suite in early March. To this day, privacy information for Google Pay, Maps, Chrome, Photos, and Assistant is still missing in the App Store.
To help users better understand app privacy labels, Apple has published definitions and examples of collected data, a sort simplified dictionary of data for the inexperienced. But between the 'data used to track you' and the 'data establishing a link with you' or the 'contact details' and 'identifiers,' it can be difficult to navigate and to understand concretely what all this information is used for. Oscar Lourdin, personal data protection consultant for the consulting firm DPO Consulting thinks highly of this move.
What is rather positive with Apple's new policy is that it is part of a process to popularize the very technical explanation. What data is, whether it is personal or not, and the multiple uses that can be made by the different actors.
Users will be able to realize that applications collect categories of personal data that are sometimes unsuspected!
We've covered these broad categories of data your apps can collect, and what these do with them.
Sensitive data are 'those which have the most protective framework because, in principle, their use is prohibited,' explains Oscar Lourdin. As their name suggests, these are personal data revealing information deemed 'sensitive,' because their processing may entail a significant risk for the user.
In its lexicon, Apple gives as an example of sensitive information 'racial or ethnic data, sexual orientation, pregnancy or the birth of a child, a disability, religious or philosophical beliefs, union membership, political opinions, genetic information or biometric data.' Health data and criminal record information are also considered sensitive data.
Article 9 of the General Data Protection Regulation (GDPR) prohibits applications from processing this data, with some exceptions. 'It is often thanks to the exception of consent that they manage to use it. Dating apps, for example, are likely to collect data on sexual orientation if the user consents to registration.'
While applications seldom specify on their own the sensitivity of the data they wish to collect, users should be careful before agreeing to provide it.
Highly personal data
Another category with which we must be particularly vigilant: so-called highly personal data. 'The GDPR lists data considered to be legally sensitive. But in practice, we know that there are other data which do not appear in this list and which are sensitive in the primary sense of the term. These are said to be highly personal data, they are identified by the supervisory authorities such as the CNIL in their various works,' explains Oscar Lourdin.
Payment information, for example 'payment method, payment card number or bank account number' like Apple listing, is highly personal data. With the development of contactless mobile payment, they are more and more numerous in our smartphones and our applications.
Location data also falls into this category. Apple distinguishes between the precise location - described as 'information indicating your position with a resolution equal to or greater than that of a latitude and longitude expressed to three or more decimal places' -, and the approximate location, whose precision is lessened.
In addition to location data and financial data, all data relating to electronic communications are considered highly personal by European authorities. These can be calls, emails, text messages, and voicemail messages, all listed under Apple's 'User Content' category.
The audio recording itself is in my opinion a highly personal data. Unless in this audio recording you reveal information about your religion or sexual orientation and in that case it becomes sensitive data.
Personal data includes all data that makes it possible to identify someone. The sensitive and highly personal data discussed above are one of them, but there are plenty more.
The definition of personal data evolves according to what is technically permissible, because with less and less data, we will be more and more able to identify people with more and more certainty. The identifying data framework is extremely broad.
Among the well-known personal data, we can cite what Apple calls 'contact details:' name, first name, email address and physical address, telephone number ... And even if their personal nature is less obvious than for contact details, some information related to Internet usage is also personal data: this is the case of the IP address, application usage data or your browsing history.
'The history of purchases on a commercial site is neither sensitive data, nor highly personal data because there is little chance that it will reveal highly personal information about you (although it is not impossible). Conversely, your purchase history on a pornographic site is more so, because it can reveal your sexual orientation and/or damage your reputation,' specifies Oscar Lourdin.
It often happens that data considered to be personal does not, on its own, make it possible to precisely identify someone - this is the case of a date of birth for example. It is when they are crossed with other data that the personal and identifying character of this information is revealed. Data cross-referencing is used on a large scale by companies and advertisers to establish advertising profiles, and the slightest data, the slightest 'like' on a photo, can make a difference.
'The definition of personal data is very functional: as soon as a piece of data or a cross of data makes it possible to identify a natural person with certainty, the definition is satisfied and the GDPR applies. Depending on the intended use, all categories of data may be affected,' summarizes the expert.
There is also non-personal data, which does not allow for the identification of natural persons. 'They are authorized for trade and are subject to a regulation other than the GDPR,' specifies Oscar Lourdin.
The European Commission distinguishes between two categories of non-personal data: 'data which initially did not relate to an identified or identifiable natural person' and 'data which were initially personal data but which have subsequently been made anonymous.'
In the lexicon established by Apple, this is for example data in the 'Diagnosis' category: data on failures, performance data and technical diagnostic data.
Information about a company - which is not linked to natural persons - such as a general email address or a VAT number, is also considered as non-personal data and is not affected by the GDPR.
What do apps do with all this data?
Application developers have several reasons for wanting to collect data from their users. Some are purely technical and serve to improve the service offered. Others may also be full of good intentions, such as processing data to advance scientific research. But the main reason is of course financial.
The personal data collected by the applications is in the majority of cases either sold to advertisers for advertising purposes, or used directly by the company behind the application, also for advertising purposes.
There are several categories of data that are used to create user profiles. These profiles are communicated to advertisers who use them to refine the advertisements they offer us.
The whole business model of free apps is based on collecting this data, and it's impossible to escape it once you have apps on your smartphone. 'Big Tech offers such a wide range of functions today that they have more or less legitimate reasons, or in any case legally arguable, to collect a quantity of categories of data which is astronomical.'
For example, Facebook claims that it collects the phone number of its users to secure access to the account. 'If you ever forgot your password, it is indeed practical,' recognizes Oscar Lourdin. But behind these noble declarations, it makes it possible to identify people who have or do not have the Facebook application and to target them, to try to identify the reasons why they are not on Facebook.
If you want to know more precisely what data such or such app collects on your iPhone or iPad, and what it does with it, you can type the name of the app in question in the App Store and scroll down until you find 'app privacy.' Be warned, the sheer length of that list might surprise you.