Research shows that mobile customers are concerned about their privacy and want simple and clear choices for controlling how their private information is used. They also want to know they can trust companies with their data. A lack of trust can act as a barrier to growth in economies that are increasingly data driven.
One of the major challenges faced by the growth of the mobile internet is that the security and privacy of people’s personal information is regulated by a patchwork of geographically-bound privacy regulations, while the mobile internet service is, by definition, international. Furthermore, in many jurisdictions the regulations governing how customer data is collected, processed and stored vary considerably between market participants. For example, the rules governing how personal data is treated by mobile operators may be different to those governing how it can be used by internet players.
This misalignment between national privacy laws and global standard practices that have developed within the internet ecosystem makes it difficult for operators to provide customers with a consistent user experience. Equally, the misalignment may cause legal uncertainty for operators, which can deter investment and innovation. The inconsistent levels of protection also create risks that consumers might unwittingly provide easy access to their personal data, leaving them exposed to unwanted or undesirable outcomes such as identity theft and fraud.
How can policymakers help create a privacy framework that supports innovation in data use while balancing the need for privacy across borders, irrespective of the technology involved?
How is responsibility for ensuring privacy across borders best distributed across the mobile internet value chain?
What role does self-regulation play in a continually evolving technology environment?
What should be done to allow data to be used to support the social good and meet pressing public policy needs?
Currently, the wide range of services available through mobile devices offers varying degrees of privacy protection. To give customers confidence that their personal data is being properly protected — irrespective of service or device — a consistent level of protection must be provided.
Mobile operators believe that customer confidence and trust can only be fully achieved when users feel their privacy is appropriately protected.
The necessary safeguards should derive from a combination of internationally agreed approaches, national legislation and industry action. Governments should ensure legislation is technology neutral and that its rules are applied consistently to all players in the internet ecosystem.
Because of the high level of innovation in mobile services, legislation should focus on the overall risk to an individual’s privacy, rather than attempting to legislate for specific types of data. For example, legislation must deal with the risk to an individual arising from a range of different data types and contexts, rather than focusing on individual data types.
The mobile industry should ensure privacy risks are considered when designing new apps and services, and develop solutions that provide consumers with simple ways to understand their privacy choices and control their data.
The GSMA is committed to working with stakeholders from across the mobile industry to develop a consistent approach to privacy protection and promote trust in mobile services.
GSMA Mobile and Privacy website
GSMA Report: Safety, privacy and security across the mobile ecosystem
GSMA Report: Consumer Research Insights and Considerations for Policymakers
GSMA Report: Mobile Privacy Principles — Promoting a user-centric privacy framework for the mobile ecosystem
GSMA Report: Privacy Design Guidelines for Mobile Application Development
GSMA Report: Mobile Privacy and Big Data Analytics
GSMA Presentation: IoT Privacy by Design Decision Tree
Smart Privacy Practice and Regulation
A combination of smart data privacy practices and smart data privacy regulation is required to sustain consumers’ trust in the digital ecosystem that has evolved rapidly around them.
The GSMA has developed nine Mobile Privacy Principles as well as a range of resources to promote good practice. These resources include the GSMA’s Privacy Design Guidelines for Mobile Application Development, considerations that should be taken into account when engaging in Big Data analytics and a privacy-by-design decision tree for use in developing IoT products and services. They seek to strike a balance between protecting privacy and enabling organisations to achieve commercial, public policy and societal goals.
If organisations adopt comprehensive policies, processes and practices to protect the privacy of individuals — and can easily demonstrate these safeguards are effective — they will strengthen trust among consumers and regulators. Equally, if governments adopt smart data privacy rules, they can establish a regulatory environment that stimulates the digital economy while also unleashing its benefits for consumers and citizens.
While governments must ensure smart data privacy laws take account of citizen’s privacy concerns, they must also recognise that these rules can have important consequence beyond the protection of privacy. As a result, when drafting these rules, governments must take into consideration how these laws sit within an economic and societal context.
Policymakers around the world have been studying the EU’s General Data Protection Regulation (GDPR) and other regional and national frameworks or laws to inform their own legislative proposals. Among the lessons learned are that smart data privacy rules are:
- Horizontal, meaning they apply to all processing of personal data rather than focusing on just one technology or sector. This reduces the need for sectoral rules or operating licences that subject network operators to an additional set of competing privacy obligations.
- Principles-based, allowing innovation to thrive without having to reinvent the rules every time new technologies or business methods are introduced.
- Risk-based, encouraging companies to focus on preventing harm (for example, by setting a threshold for reporting of data breaches rather than mandating that all breaches are reported), or encouraging organisations to implement privacy-by-design and privacy impact assessment processes.
- Based on the idea of accountability, holding companies to account, but allowing them to innovate and comply in a way that makes sense for their business and rewarding those that embed a culture of privacy in their organisations.
- Open to data flows, allowing data to cross borders provided there are sufficient safeguards to protect an individual’s privacy (see the Cross-Border Flows of Data section in this handbook).
Mobile Privacy Principles
- The GSMA has published a set of universal Mobile Privacy Principles, which describe how mobile consumers’ privacy should be respected and protected.
- Openness, transparency and notice
Responsible persons (e.g., application or service providers) shall be open and honest with users and will ensure users are provided with clear, prominent and timely information regarding their identity and data privacy practices.
- Purpose and use
The access, collection, sharing, disclosure and further use of personal information shall be limited to legitimate business purposes, such as providing applications or services as requested by users, or to otherwise meet legal obligations.
- User choice and control
Users shall be given opportunities to exercise meaningful choice and control over their personal information.
- Respect user rights
Users should be provided with information about, and an easy means to exercise, their rights over the use of their personal information.
Personal information must be protected, using reasonable safeguards appropriate to the sensitivity of the information.
Users should be provided with information about privacy and security issues and ways to manage and protect their privacy.
- Children and adolescents
An application or service that is directed at children and adolescents should ensure that the collection, access and use of personal information is appropriate in all given circumstances and is compatible with national law.
- Data minimisation and retention
Only the minimum personal information necessary to meet legitimate business purposes should be collected and otherwise accessed and used. Personal information must not be kept for longer than is necessary for those legitimate business purposes or to meet legal retention obligations.