GDPR Goes After Google — And Your App Could be Next
Published on January 25, 2019 by Michelle Pruitt
GDPR fines were inevitable. Despite years of lead-up and months of warning before the legislation came into effect last May, many companies simply weren’t prepared for the complex (and evolving) nature of EU privacy expectations.
Now search giant Google is in the compliance law’s cross hairs: As noted by Bloomberg, Google has been assessed a $57 million fine because it “fails to adequately explain how it collects data to offer personalized advertising.” For some experts, the fine is a warning of things to come — companies must improve their data handling or face the consequences. For others, the penalties are a step too far with a purpose too vague.
The hard truth? No matter where opinions fall, GDPR fines are now out in full force — and your application could be next.
Search and Seizure
It’s no surprise that a large enterprise like Google is making headlines for its substantial fine — nor is it surprising that data regulators are taking a hard look at the massive search company and its cadre of marketing, sales and advertising tools. According to France’s data regulator, Google’s personalized advertising consent form contains “extensively disseminated” information along with consent boxes that are “pre-ticked,” potentially causing users to overlook their contents. Under GDPR, this creates user consent that is overly generalized and ambiguous.
Google isn’t the only large tech company under scrutiny: As noted by Silicon Republic, Facebook is being investigated by Ireland’s Data Protection Commission for a bug that permitted hundreds of apps to access user photos without permission.
Meanwhile, according to IAPP, smaller fines have also been handed out to organizations for illegal video surveillance activities, illicit access of patient information and the data breach of a German social media company. These fines were smaller — ranging from $5,000 to $800,000 — but made it clear that GDPR has both bark and bite.
Despite the high fines leveraged against Google, they’re not the pinnacle of GDPR penalties: Companies could lose up to 4 percent of their annual turnover or €20 million, whichever is greater. As noted by Techopedia, this has spurred an uptick in hacker extortion techniques: Malicious actors compromise a network and then threaten to publicize the data breach unless their demands are met. Along with hefty payments, companies also risk getting duped — hackers could take the money and still release stolen data to prompt GDPR fines.
Coming to America?
In the United States, companies should expect discussion about GDPR-type legislation over the next year as legislators look to emulate — or push back against — Europe’s data regulation. According to ValueWalk, while this potential privacy law would likely be “a counterweight model to the GDPR” but would also focus on the protection of cross-border data and world engagement with American enterprises.
What does this mean for organizations looking to safeguard their data? GDPR is just the beginning — from malicious actor uptick to stateside legislation, data privacy is now paramount.
Overlooked but Not Exempt
Data breaches don’t happen in a vacuum. Information is typically stored in databases and created, accessed and changed through software applications. Vulnerabilities or poor security implementations in software applications can be exploited to obtain sensitive data. The result is a kind of unintentional oversight: The apps created by development and DevOps teams are often overlooked as potential infosec issues. But, now Data Processors have regulatory and statutory obligations – with GDPR, protecting applications becomes more important.
Let’s use Facebook again as an example: Recent research found that 61 percent of tested Android apps were sharing data with the social platform as soon as users opened the application — without their consent and whether they had a Facebook account or not.
Is there some culpability for Facebook here? Absolutely. But by choosing to add Facebook-connected code into their apps, developers and DevOps teams may be putting their organizations in harm’s way. Simply put? If your application is identified as the source of a privacy breach, your company pays the fine — even if data is being routed to social giants like Facebook.
The same rule applies to apps that are maliciously modified. If GDPR and other compliance regulators find that your organization didn’t exercise “due diligence” in reporting potential breaches, responding to alerts and log reports, detecting unauthorized access and preventing initial compromise, the results could be costly.
Privacy in Practice
How can DevOps teams protect their apps and steer clear of GDPR fines? As noted by Tech Beacon, start with encryption, use HTTPS for improved security, ensure apps always inform users about data collection policies and make sure applications are collecting the bare minimum of data required.
Then, tackle the source of data breach issues by deploying runtime application self-protection (RASP) tools capable of detecting unauthorized or unexpected app use and either terminating app sessions or notifying IT admins. Next, leverage application shielding solutions that prevent attackers from debugging app functions and employ obfuscation techniques to frustrate hackers attempting to steal your source code.
GDPR legislation makes it clear: Companies must be prepared to handle “state-of-the-art” hacking techniques and reliably secure user data with protection by design to avoid stinging penalties. Best bet? Secure data where it lives, works and moves — protect your apps to prevent GDPR penalties.