The intricacy of the jurisdictional applicability of the GDPR doesn’t make it any easier. This Regulation
applies to the processing of personal data by a controller or processor established in the EU, regardless
of whether the processing takes place in the EU or not. It also applies to the processing of personal data
of ‘data subjects’ based in the EU by a controller or processor not established in the EU, where the
processing activities are related to: the offering of goods or services, irrespective of whether a payment
from the data subject is required, to such data subjects in the EU; or the monitoring of their behaviour as
far as their behaviour takes place within the EU. The GDPR finally applies to the processing of personal
data by a controller not established in the EU, but in a place where Member State law applies by virtue
of public international law.
The compliance of mobile apps with the GDPR may therefore not be a concern limited to EU enterprises,
but to a much wider pool of organisations falling in the above jurisdictional applicability. To resolve these
challenges, there is now a need for greater industry-wide cooperation on the development of standards
to make mobile apps secure by design.
Technology standards are published documents that establish specifications and procedures in the areas
of product reliability, safety, security and interoperability (in order to achieve compatibility with other
technology products). Because of their widespread availability and applicability, they have the further
benefit of fostering innovation, often simplifying the product development process.
The reason mobile apps need to be secure by design is because the requirement to prevent (and in some
cases provide) access to sensitive communication is deeply inscribed in modern legislation, which aims
to protect a variety of interests, ranging from the basic civil liberties of an individual at one end of the
spectrum, to the protection of the security of a nation against criminal activities at the other.
This is due to the fact that, while they have many legitimate purposes, secure communications may also
be used in the commission of criminal activities. It follows that law enforcement services need tools to
investigate cybercrimes as well as other cyber-facilitated forms of crime.
Rights of the individual need to be evaluated in relation to the rights of others to find a balance between
the individual interests and the greater interest of all citizens of a nation. In the case of serious crimes,
law enforcement may need to lawfully gain access to relevant communications.
The EU General Data Protection Regulation (GDPR) has made efforts to reconcile the individual’s right
with other relevant rights. On the one hand, the regulation requires businesses to protect personal data
during any of its data processing activities (introducing end-to-end encryption as a viable method to
achieve such protection), while on the other, it requires businesses to be able access personal data that
may be encrypted, in order to comply with lawful interception as well as ‘Data Subject Access Requests’.
Specifically, Article 15 of the EU GDPR provides that EU citizens (the ‘data subject’) have the right to
receive confirmation that an organisation is processing their personal data, as well as the right to receive
a copy of that data. Individuals also have the right to obtain a variety of supplementary information.