TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, May 20, 2016 Related reading: EDPB adopts opinions on draft UK adequacy decision




Greetings from Utrecht in the Netherlands!

Those of you who follow the weekly Notes will recall I wrote about the Norwegian Consumer Council in March lodging a complaint with the Norwegian ombudsman against the dating app Tinder. Well, the consumer watchdog is back and seeking out that well known fitness app Runkeeper, which it claims has breached both Norwegian and European data protection law. More precisely, the NCC is at odds over the fitness app’s tracking capability and data-handling practices.

Runkeeper has been a media headline of late. In February the Japanese trainer manufacturer Asics acquired FitnessKeeper, the U.S.-based outfit behind the popular health-centric app. This is the latest indicator that sportswear companies are showing great interest in courting the fitness-tracking apps industry. Runtastic, another popular fitness tracking app was bought by Adidas last year. Also in the same year, MyFitnessPal was acquired by Under Armour. Acquisitions with sense you might say, and with good reason. Take the Runkeeper app. It is available for both iPhone and Android, and is used by over 40 million users worldwide (myself included). It is one of the few fitness apps that utilizes GPS tracking and can independently work on Android Wear-compatible smartwatches without requiring a smartphone. Think of the wealth of user fitness and health-oriented data leveraged with marketing analytics potential. Asics, in its own right, is one of the best sold sportswear and running shoe brands on the market. In acquiring a digital technology platform such as Runkeeper, the potential for Asics to develop new digital lifestyle services to the market seems key to its growth strategy. 

According to the NCC, Runkeeper transmits data about its users all the time, not just when the app is in use.  According to the council, Runkeeper’s terms and conditions do not explain how regularly data is transmitted, and users do not give consent to being monitored in this way. The council further argued that the Android version of the app tracks users and transmits personal location data to a third-party advertiser in the United States, even when not in use. The data in question includes timestamped location information, as well as Google advertising IDs that can be used to identify the individual.

The NCC’s digital policy director, Finn Myrstad, is reported to have said, “everyone understands that Runkeeper tracks users while they exercise, but to continue after the training has ended is not okay. Not only is it a breach of privacy laws, we are also convinced that users do not want to be tracked in this way, or for information to be shared with third party advertisers. It is clear that Runkeeper needs to have a good think about how it treats users' data and privacy.”

Similar to Tinder, Runkeeper has no European subsidiaries and is entirely based and run out of the United States. The result being that European data protection and consumer agencies have limited power, due to jurisdiction. It is unlikely that Runkeeper could be subject to serious sanctions in Europe despite the company serving local European markets. In case you are wondering, Runkeeper was not signed up to the former Safe Harbor mechanism.

In response, RunKeeper announced this week that it had found a bug in its Android code that resulted in the leaking of users’ location data to a third-party advertising service. They went on to state that they were releasing a new version of their app, thus eliminating the bug and removing the third-party services involved. Additional up-dates to the iOS product have also been made and a new version will be available once it is approved by Apple. The NCC welcomed the quick response to the criticism by Runkeeper, but cautioned that it is not enough. The consumer watchdog expects Runkeeper to ensure that the third party involved deletes the illegally collected data immediately with a public acknowledgment.

This is certainly not the first time we have heard questions being asked of the apps industry and how they operate in practice with regard to user privacy; it is in some respects reassuring to know that agencies such as the NCC are conducting investigative audits. Through informed awareness of ongoing app practices, users are empowered to decide whether they want to continue supporting them or not.


If you want to comment on this post, you need to login.