EU GDPR Implementation

Computersmith64

Well-Known Member
Licensed User
Longtime User
Just wondering what the general thoughts on the new EU GDPR (General Data Protection Regulation) due to be implemented in mid May are?

For me there are 2 areas that will impact on my apps I think - advertising & analytics. From the emails I have received from Google (the latest being today), it looks like I will have to seek user consent to show targeted ads & if they decline that, then I'll have to still get their consent for non-targeted ads because AdMob uses cookies for frequency capping, etc...

If they decline that consent, I can offer them an option for an in-app purchase (that I would normally offer to stop ads) - but in reading the Guidelines On Consent (http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051) it seems that you can't actually stop them using the app if they refuse to give consent & also refuse to pay the fee (apparently their consent isn't classified as being given "freely" because their refusal is to their detriment).

Apparently Google will offer a way of asking for consent via an AdMob SDK, but I don't think this is available as-yet & when it is it will no doubt take some time to be available for B4A, so in the meantime I think we will have to provide some kind of in-app consent form.

On top of that, you also have to provide a way for users to withdraw their consent at any time & a way for them to request that all their data is irretrievably deleted.

At this point the only thing I have done is create a Data Consent Policy on my Facebook page that I will link to from my apps. I'm not really sure what other steps to take at this stage.

All in all, it seems like a bit of a minefield & I suspect it will have a big negative impact on in-app advertising revenues from EU - especially if users only give consent for non-targeted ads.

Any thoughts / comments / insights?

- Colin.
 

udg

Expert
Licensed User
Longtime User
EU GDPR is meant to protect EU citizens personal data. What constitutes "personal data"? Well, even their name if that is enough to identify someone (e.g. Marilyn for Marilyn Monroe, is considered personal data even if that one is not her real name..ah, burocracy!).
A real concern is WHERE data is stored. If you retain data on your server you become responsible for any data breach/loss, you have to assess a risk analisys, implement procedures to promptly (72h) signal data breaches to authorities and obviously are the end-point of any request from the user about his/her data (what data you retain, why, for how long, right to delete..). All this for simple personal data. When you touch "sensitive" data (medical, legal..) everything goes a lot worse.

A way to bypass most of the burden is to delegate data processing to companies declaring their conformity to GDPR. This way you need the consent from the user to process his/her data by a third party, clearly specifying the policies involved and finally hope that eveything will go smoothly..forever.

Anyway, we as programmers are requested to consider the data protection "by design"; this means that we should design our sw in ways that minimize the possibility of data breaches (e.g crypted data, SSL-only transmissions..).

Well, all that (and more) while W10 let's hundreds of stealth connections to who-knows-where go under the hood.. Don't believe me? Activate a firewall and monitor the outgoing traffic (yes, even Photo or Explorer pretend to call home). And what about those gems that make use of your browser (in my case FF) to exchange traffic on port 443 with unknown data centers?
Recently I dared to negate the use of the mic to the built-in Camera app of my mobile..it stopped to function! I understand that it could be needed when shooting a video, but why disabling the whole app?

Common sense tells me that when I buy something that object is mine and I can do with it everything I like (under my responsability).
Authorities rule things out along the lines that I'm an idiot, only they know which is the best for me while facilitating those who support them.
Freedom? Just a seven letters word. Forget it.
 

KMatle

Expert
Licensed User
Longtime User
@udg summaries the most important things. I assume you don't have a social network app or so :)

I would write down

- which data is collected (like name, birthdate, etc.)
- what you are doing with it ("used for registration only", etc.)
- how it is protected (encryption, PW-protected)
- WHERE it is stored (EU or not)
- only collect data you really need
- do not track any person (cookies, etc.)
- explain that you do NOT grant any access to the data to third persons (e.g. selling the data)

and display it to the user and on the Playstore.

Ususally you don't need to collect personal data (e.g. an abstract username is less personal as an email address).

I'm working for a health insurance here in Germany (highest protection standards as we store medical data of the customers). It wasn't a big thing to follow the new regulations because (as udg mentioned) we encrypt and protect everything. But my company is a big one and you are just a "small developer". I do think that the "new" regulations need some time to be clearer. Check the www from time to time so see best practices others recommend.
 

Beja

Expert
Licensed User
Longtime User
"Requesting Consent from European Users"

God save American users!
 
D

Deleted member 103

Guest
I have all my apps, who somehow need to store or use personal data, removed from Google Play and Apple Store!
I do not like this new EU Regulation, it is too uncertain and I think they do not know what they want. :mad:

I'm waiting now until everything returns to normal or really fixed what we have to do.

I often think that the deputies in the European Parliament do not know what to do, and therefore think up such new propositions. :mad:
 

udg

Expert
Licensed User
Longtime User
I often think that the deputies in the European Parliament do not know what to do, and therefore think up such new propositions.
Probably they are payed too much and have too much time to waste.
From 1988 to 2009 they obliged EU farmers and distributors to absurd rules about cucumbers (e.g: "be well shaped and practically straight (maximum height of the arc: 10 mm per 10 cm of length of the cucumber")
In 2011 they did it again, this time applying to a vast number of fruits and vegetables.

As for the GDPR, they often start from a sharable proposition, then meeting after meeting, monthly salary after monthly salary they produce those monsters.

To counterbalance GDPR's perverse effects I'm tempted to plan for a 100% anonimity setup for any service.
A few examples: users could register and sign-in only from an anonymous email account; users should pay using crypto-money or other anonymous means; every data our app collect is to be encrypted by a password that only the user knows and we don't store it anywhere in any format; data is transmitted securely (SSL/TLS); data on servers managed by us is entirely encrypted so we have no means to manage (read/spy/copy and give away..) it and eventual data breaches are almost without consequences (mainly based on the secret users' password used to encrypt).
Does that mean we can't execute computations on data? It depends. If we encrypt only personal data, we can still do computations on the remaining data.
 
Last edited:
D

Deleted member 103

Guest
I've even removed any app that uses admob (advertising); I have only earned 30-40 Euro / month anyway.
 

udg

Expert
Licensed User
Longtime User
I have only earned 30-40 Euro / month anyway.
That's another good reason not to comply with GDPR.
Have I to consider all the burden and risks it causes just for 30€/month? No, thank you. I can spend my valuable time in other ways.
 

itgirl

Active Member
Licensed User
Longtime User
Can't you just load NonPersonalizedAds without any showing of consent dialog or any other headache !!
 
D

Deleted member 103

Guest
I've just removed all my Google Play and Apple Store apps until I've incorporated my privacy policy.
Without privacy policy is much too risky.
 
Top