Examining Data Protection Issues in the App Economy According to Konrad Kollnig’s Award-Winning Thesis

What better day to receive an award on your PhD thesis about data protection, than on Data Protection Day. On January 28th, Konrad Kollnig, assistant professor in the Law & Tech Lab of the Law Faculty, was awarded this years’ Stefano Rodotà Award. His thesis (‘Regulatory technologies for the study of data and platform power in the app economy’) conducted a technological and legal study into mobile apps on how to improve data protection in practice.

Started in the basement, now we are here

Kollnig has been interested in data protection issues for a long time. As a teenager, he tried to replace his Dropbox online file storage with a self-built solution in his parent’s basement. “But, taking any meaningful action on privacy issues is very difficult as an individual,” Kollnig begins. “My motivation to pursue my PhD topic was re-ignited when I had to write my Master thesis in 2019 for my studies at the University of Oxford. This was shortly after the General Data Protection Regulation (GDPR), the EU’s notorious data protection law, had been introduced, which was in May 2018. So, I got interested in analysing how the law works in practice, and ended up doing a PhD thesis on the same topic after finishing my Master.”

About the Stefano Rodotà Award

This prize is awarded in honour and memory of Stefano Rodotà. He was a leading Italian law professor and politician who worked throughout his life to promote fundamental rights, particularly for the development and implementation of the right to data protection in Europe.

Still struggling

In the contemporary digital economy, there tends to be a grave power imbalance between those who develop our day-to-day technologies and those who use it. A few large tech companies in the Silicon Valley, with well-resourced legal teams, develop a lot of the digital infrastructure we use. This makes it possible to side-step much of the applicable legal rules in Europe. And that’s exactly what Kollnig’s thesis is about.

“My thesis aims to take an interdisciplinary approach at addressing some of the power imbalance in the app economy, specially by combining technical and legal methods to understand questions relating to privacy and power in the app economy,” Kollnig says. “One of the most important outcomes of my thesis is that we are still struggling immensely with translating our laws into the digital economy.” Kollnig explains that his research found that about 70% of the Android apps started sharing data with third-party companies, like Google and Facebook, immediately when users opened that app. Less than 3.5% of the apps implemented the minimum necessary requirements regarding user consent to data processing under the EU law. “When users are asked for consent, this is often not in line with the legal requirements. Instead, they try to blackmail you into accepting terms,” Kollnig explains. The GDPR should provide data protection by design and by default. But, as Kollnig states, that’s not usually the case in practice.

On the edge of legality

App tracking is the practice of collecting and analysing data about a user’s behaviour within a mobile app or website. It is used to improve the app or for showing relevant ads when you use your smartphone, for example. Nothing harmful, you might think. But some laws are violated with tracking. In many apps and websites, there is no genuine implementation of consent that meets the strict requirements of the GDPR. Also, the GDPR’s transparency principles seem to be commonly violated by tracking. “Even showing a single ad on a phone commonly involves exposing one’s personal data to hundreds – if not thousands – of different advertising companies that then place a bid to show an ad on your phone,” Kollnig says. “This is likely illegal.”

“Tracking is a technology that has been widely developed without individuals being aware of it, without complying with applicable laws, and without any meaningful debate around whether this approach is permissible for us a society,” Kollnig explains. “There is a risk that data is traded across opaque companies at great scale and without an ability for anyone to control this data trading – which is what is currently happening. In other words, while tracking can be legitimate, this legitimacy comes down to a balancing of interests, which is commonly done in such a way that it is against EU law. Yet, enforcement of the law, due to limited resources of authorities, remains difficult.”

Test your own apps

Kollnig simplified his methodology in an online tool, so anyone who has a smartphone can use it. “This tooling allows individuals to learn about data practices in the apps on their phones.”

Check out the tool Android and iOS.