How to make sure your app complies with the Safe Harbor rules

When the Safe Harbor program was put in place in 2000, its intent was to align U.S. companies with EU personal data protection principles. But user data tracking and capturing has come a long way since 2000, and U.S. and other international intelligence agencies are capturing far more private user data than anyone could have initially anticipated. So a new reform is necessary to truly protect the rights of EU citizens.

Since news broke a few weeks ago that 30 major U.S. software companies have been violating the Safe Harbor agreement by compiling, using, and sharing EU consumers’ personal information without their awareness and meaningful consent, many of the named companies have updated their privacy policies. Yet the FTC, which enforces the agreement, hasn’t yet said whether it will investigate the accused and whether there will be an update of the Safe Harbor agreement.

Businesses need to live up to the integrity of regulations that are in place for good reasons — including bankrupting their company due to liabilities that could have been prevented.

Developers should first and foremost ask themselves:
* Do I know where my data is stored at all times and who can access it?
* Can I guarantee end-to-end encryption and the ability to manage data in the way it is intended?

If you can confidently answer yes to these questions, then you are doing your due diligence, but if the issue makes you a bit uneasy, here are some areas to consider.

Are you encrypting end-to-end? Key information such as location, unique device identifiers, and even personal identifiable data like IMEI is almost never encrypted over mobile networks. Why? Because it costs money and takes time. Complying with the highest privacy standards requires end-to-end encryption of user data and therefore a more complex and expensive infrastructure.

Many developers are understandably nervous to flag this as an issue with their customers and would prefer to gloss over it. Others may have prioritized usability, design, or monetization and come to tracking as an afterthought — something they have to look at after the important boxes are ticked. In such a highly competitive market, the temptation to cut corners is high, but the rewards are not worth the sensitive risks.

Where exactly is your user data located, and who has access to it? If you’re scratching your head to find the answer to these questions, you are not alone. The problem is not just data distribution to different analytics partners or networks. The simple problem is that mobile attribution tracking can’t tell you where the data is since it’s “somewhere in the cloud.” Many providers relying on cloud-based infrastructure will have a hard time answering this question.

What is your tracking provider sharing? Do you know how much data is shared from your tracking provider to marketers? Are you in control of what gets shared — events? your revenue data? private user information and their geolocations?

Many tracking providers don’t want to shine a spotlight on this area, as they are aware their practices breach applicable privacy laws. For others, it is simply a lack of awareness. Developers must trust all the companies that have an SDK in their app and know whether they are or aren’t privacy compliant. If you can’t protect the personal data of your users, you may want to reevaluate your business practices — it’s that simple.

The big players, Apple, Facebook and Google, are clearly moving in this direction, with Facebook recently terminating an agreement with two of its biggest Mobile Measurement Partners for failing to adequately safeguard user data. Apple also sent a clear message with its recent crackdown on IDFA usage by analytics providers, effectively preventing illegal user profiling. Google has also signaled its intention to ensure that data is protected, with its new Advertiser ID system coming into play from August 2014.

The bottom line
Don’t be the one who says, “Actually, I have no idea where your personal information is stored, how it got there, and who has access to it. And because I don’t know these things, I can’t promise your data is being controlled accordingly.”

Know and act on the laws that are in place, both local and international, and invest time and money to actively consider privacy issues in the earliest stages of product development. Companies that follow privacy and data management standards will continue to be trustworthy among partners and consumers and will have sustainability surviving in this fast growing market.

Paul H. Müller is CTO and co-founder of attribution and analytics company Adjust.