Privacy nutrition labels, App Store and the GDPR: Unintended consequences?

Abstract

In an effort to increase the transparency of personal data processing carried out via applications listed on their mobile store, Apple recently announced the launch of privacy nutrition labels (PNLs). Aimed at informing users about an application's use of data, these card-like labels are prominently visible on each application's App Store page. This paper explores whether such disclosures made via PNLs can help data controllers fulfil their duty of transparency under the EU General Data Protection Regulation (GDPR). It establishes that the PNLs, in their current, highly standardised fashion, cannot convey the mandatory obligations required by the GDPR. Added to this, they cannot adequately supplement existing privacy policies, either — as they neither serve an adequate role as a ‘first layer’ of a privacy notice, nor help communicate information more efficiently. However, the paper finds that the PNLs might serve another purpose: enhancing data controllers' internal compliance routines. PNLs, even with their current limitations, can bring tangible improvements to cross-functional communication, third-party sharing awareness, records of processing accuracy, adherence to the data protection principles and adequate resource assignment. The overall conclusion of the paper, counterintuitive as it might appear, is that PNLs should be viewed as an organisational measure-enhancing mechanism rather than a transparency tool.