apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Privacy in SDKs
Romain Robert, Senior Lawyer and Program Director at NOYB
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
SDK and Data Protections: What Should We Care
1. @NOYBeu www.noyb.eu
SDK AND DATA PROTECTIONS:
WHAT SHOULD WE CARE ?
APIDays - 9 December 2021
Romain ROBERT
Program Director – None of Your Business
2. @NOYBeu www.noyb.eu
PRESENTATION OF NOYB
noyb?
= None Of Your Business
European Center for DigitalRights
• Not-for-profit organisation
• Independent
• Createdby Max Schrems
• Founded in May 2017
• Based in Vienna
• 17 people, including 9 data protection lawyers from several jurisdictions
• About 4500 supporting members at the moment who contribute around 400 000 € per year
• Additional funding comes from institutional members and project funding by public and privateinstitutions (eg
EFF). We also receive single donations and sponsorships on a non-regular basis
3. @NOYBeu www.noyb.eu
PRESENTATION OF NOYB
• fills a structural gap in private sector privacy enforcement
• cooperate with existing NGOs and groups in the fields of privacy, IT
security and consumer protection
• support businesses that seek to comply with the law
• not directly involved in issues of government surveillance
• raises public awareness
• provides legal assistance to members
4. @NOYBeu www.noyb.eu
ORGANISATIONS AND THE GDPR
Article 80.1 GDPR explained
Who can act ?
• not-for-profit body, organisation or association
• properly constituted in accordance with the law of a Member State
• statutory objectives which are in the public interest
• active in the field of the protection of data subjects' rights and freedoms
What can they do ?
• to lodge the complaint on his or her behalf
• to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf,
• to exercise the right to receive compensation referred to in Article 82 on his or her behalf where
provided for by Member State law.
5. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
WHAT ?
- GDPR applies to all personal data
- Personal data: all data that can link to a person
- Includes: location, IDFA or Google ID, cookies, pictures, Phone
number, ….
- A lot of data sent by SDKs
6. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
WHAT ?
- Eprivacy Directive (article 5.3)
- use of electronic communications networks to store information or
to gain access to information stored in the terminal equipment of a
subscriber or user applies to all personal data only if
- Consent
- sole purpose of carrying out or facilitating the transmission of a
communication over an electronic communications network, or as strictly
necessary in order to provide an information society service explicitly
requested by the subscriber or user.
7. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
WHO ?
- Controller: the entity that determines the means and purposes
- Can be the App developper and/or the SDK provider
- Both can be « joint controllers »
- An agreement needs to be signed
- See Grindr decision from the NO DPA
- The processor is the organisation/company that process the data on
behalf of the controller
8. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
HOW ?
Transparency
- Information about:
- Which data
- For what (purpose)
- Examples of formulationsthat are not specific enough are improving user experience
(Vinted)and securing the service (Kolibrie).
- Who are the recipients ? (see NO DP decision)
- List of recipients
- Importantto enforce the rights
9. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
HOW ?
Consent
- Must be
- Specific: purpose and not general (per provider, perrecipient)
- Free: not tied to the service
- Unambiguous: what is this exactly about
- Informed
• Possibility to withdraw consent
10. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
HOW ?
Sensitive data
data about political views, sexual orientation, religion and ethnic
background
Ex: the Q’ran app
11. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
HOW ?
Data protection by default
- All settings must be by default set for the most data protection
friendly configuration
- The App provider, bu also the OS provider and the market place (see
Apple IDFA in Pain)
Data protection by design
- Data protection should be embedded in the design
12. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
HOW ?
Data minimisation
• Only the data necessary for the purpose
• Not more
• Only to the extent necessary
13. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
HOW ?
Transfer out of the EU
As a principe not allowed
Need to rely on adequacy (US, Schrmes I, Schrems II)
Or Standard Contractual clauses
14. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
Action ?
Collective redress in courts
Complaints
Cookies campagin: noyb intends to file 10 000 complaints
SDK may be next
15. @NOYBeu www.noyb.eu
SDK AND GDPR/EPRIVACY
Tools/resources
Exodus privacy
https://exodus-privacy.eu.org/en/
Norvegian council: « Out of control » report
https://www.forbrukerradet.no/out-of-control/
Thank you !
Support us on www.noyb.eu