It should be underlined that the observations mentioned above referred to the practices of MIA at the times of the research, namely in May 2019. 

What about the other apps?

We also looked at the following apps and found that they all informed Facebook when you open the app:

• My Period Tracker by Linchpin Health (over 1 million downloads on Google Play),
• Ovulation Calculator by Pinkbird (over 500,000 downloads on Google Play),
• Mi Calendario by Grupo Familia (over 1 million downloads on Google Play)

As we highlighted earlier, this already reveals information, which could be potentially used for advertising purposes, and it is all the more worrying that this happens without the users’ consent.

Mi Calendario by Grupo Familia was also using an outdated version of the Facebook SDK, which presents security concerns.

What does the law say about all this?

When it comes to data protection, the big divide remains whether your app is either based in the European Union or offers services to users who are in the European Union, or if it is based outside of the European Union and not meant for users in the European Union. If you are in the EU, you are protected by the General Data Protection Regulation (GDPR).

Privacy International has been calling out the practices of companies that set different standards for their EU customers and their non-EU customers, as we believe everyone should benefit from the high standards of protection GDPR has set.

GDPR obliges data controllers (in this case, the company that owns the app) to provide adequate information to data subjects (the users) so that they are properly informed about the use of their personal data. In practice this is mostly done through privacy policies, which provide some basic information to users regarding possible uses, purposes, transfers, among other things, of people’s personal data. Those policies need to be written in concise, plain, understandable and user-friendly language. However, the problem most of the time is that these policies contain vague and generic wording or merely provide for indicative or non-exhaustive lists of what the company can do with your data. European data protection laws, namely the GDPR, oblige controllers to provide data subjects with information relating, at least, to the contact details of the controller, the purposes and legal bases under which their personal data will be processed, information about the recipients to which their personal data will be disclosed, including third country transfers, as well as basic information regarding the exercise of their data protection rights, such as the right to access their personal data, request their erasure or lodge a complaint with their regulator etc. This information needs to be provided at the point of collection of personal data from users.

Maya by Plackal Tech

Maya, like every app we have reviewed for this research, processes large amounts of personal data, including data relating to health, which could be deemed as a special category data (sensitive data) under EU data protection laws, as we highlighted before.

In their privacy policy (as of August 19th 2019), Plackal Tech is explicit that Maya collects information about “notes, symptoms, or moods” as well as “information that you enter into the App, including the length of your menstrual cycles, and general information about your health such your weight, mood, temperature and/or any physical intimacy”.

Plackal Tech is located in India. However, it is serving EU users as it is available on the Google Play Store UK, which means that a UK user can download and use the app in the EU. Although they do not specifically mention use by EU users, the Terms and Privacy Policy of the app states that the app is available in India or in other jurisdictions (sic).

EU data protection law forbids the processing of special category data, except under specific circumstances, such as with the explicit consent of the user. In this case, it is questionable whether Maya could claim to have obtained users’ informed, unambiguous and explicit consent for its data sharing, considering that personal data is shared before users even get to see, let alone agree, to the privacy policy. In other words, it is hard to see how an average user would even implicitly agree to an app sharing such intimate details of their health and sexual life with Facebook, as this goes beyond what one would reasonably expect in this context.

Plackal Tech also states that they “may also collect the precise location of your device when the app is running in the foreground or background”. They “may also derive your approximate location from your IP address”.

It is questionable whether this extensive data collection is strictly necessary for providing the service requested by users and, accordingly, raises a series of questions regarding the compatibility of these apps with EU data protection law. For example, the principle of data minimisation requires controllers to process the minimum amount of personal data that is necessary for providing the service.

While Maya’s privacy policy states that information might be disclosed to third parties, it does not provide precise information about the categories of personal data of users that it is disclosing or any precise information about who these third parties might be.

Although it mentions that no personal data is disclosed to advertisers, the privacy policy states that users’ personal data may be used “to comply with our advertisers’ wishes by displaying their advertisement to that target audience”, it does not specify whether this also involves health-related data.

It is also worth noting that Maya does not seem to provide adequate information regarding the rights of EU users. For example, the privacy policy does not provide adequate information about users’ rights to rectify their personal data or any information about their right to lodge a complaint with the supervisory authority.

MIA by Mobapp Development Limited

As we highlighted before, the question of the collection of “sensitive data” is raised again with MIA’s privacy policy (as of August 19th 2019), which at the time of research, clearly stated that the app may collect “menstrual cycles dates, symptoms related to menstrual cycle, information about health and activities (sleep, mood, diseases, sex, steps etc.), body measurements, which may include information about personal health issues you provide, including information about your physical states”.

Additionally, MIA mentioned in their privacy policy that it could use the personal data it collected for a number of purposes, including for “training of machine-learning algorithms” and “performing background checks on users”. However, the privacy policy did not specify what exact categories of personal data could be used for these purposes and whether this included sensitive data relating to sexual health. This raises serious transparency concerns, as users need to be given meaningful information about the use of algorithms by these services, and especially how this use might affect them.

GDPR applies to MIA as the data controller is based in the EU (Cyprus) and the app is available for download on the Google Play Store UK. In other words, as EU users located in the UK are able to download and use the app, MIA seems to be offering its services to EU users and therefore needs to abide by its GDPR obligations.

My Period Tracker by Linchpin Health

My Period Tracker by Linchpin Health is also available for download by EU users, as it is featured on the Google Play Store UK, which might mean that it is serving an EU audience and thus needs to comply with EU data protection laws (GDPR). However, there is no functioning link to the app’s privacy policy or even website on the Google Play Store, which might constitute a breach of GDPR and a failure of the company/controller/app(choose one) to adequately inform data subjects about the uses of their data.

Mi Calendario

It should be mentioned that, based on its privacy policy, Mi Calendario seems to be targeting a Latin American audience.

It is worth noting that, at the time of writing, the link to their privacy policy on the GooglePlay store was not working. Following the sharing of our report with Mi Calendario, the link has now been fixed.

Conclusion

The wide reach of the apps that our research has looked at might mean that intimate details of the private lives of millions of users across the world are shared with Facebook and other third parties without those users’ free, unambiguous and informed or explicit consent, in the case of special-category (sensitive) personal data, such as data relating to a user’s health or sex life.

Our research highlights that the apps we have exposed raise serious concerns when it comes to their compliance with their GDPR obligations, especially around consent and transparency. Indeed, EU data protection laws seeks to ensure that users maintain control over their personal data at all times and that they should be aware of the exact and specific purposes these data might be used for by controllers, namely companies. It equally applies to controllers that process data within the EU/EEA and to controllers that might be based outside the EU/EEA but still target EU users with their services

This raises interesting points. First, even when GDPR applies, for example, in EU/EEA countries, this does not mean that controllers abide by the regulation. As our research illustrates, apps targeting EU users need to comply with, among others, strict consent and transparency obligations regarding the processing of personal data, but they often fail to do so. This should lead to a call for stronger enforcement – EU data protection laws have always been there, what is needed is effective and fruitful investigations by regulators.

Secondly, while apps that are located in Europe might be failing to meet their GDPR obligations, EU users are still provided with an appropriate right of redress, such as the possibility to raise the issue with the controller directly, or to file a complaint before their national supervisory authority, or even to bring a case against the controller before national courts. However, the case is not the same for users based in countries without proper data protection laws or with data protection laws that lack effective enforcement. The practices highlighted by this research should serve as an example of abuse that should prompt law-makers and regulators to uphold users’ rights.

Companies should also not escape their responsibilities. Facebook have announced they will launch a tool that will enable their users to stop apps and businesses sharing their data with the social network, which will address the problem for some users. However, it is insufficient, as it will fail to protect app users who do not have a Facebook profile.

The responsibility should not be on users to worry about what they are sharing with the apps they have chosen. The responsibility should be on the companies to comply with their legal obligations and live up to the trust that users will have placed in them when deciding to use their service. In order to guide best practices, we are suggesting the following recommendations:

Recommendations for menstruation apps

• Undertake in-depth privacy and risk impact assessments when designing their applications with consideration for their users and the potential harms they could experience.
• Limit the data collected, many menstruation apps appear to request superfluous data – including sensitive personal data – to build a profile of their users. Only data that is necessary for the purpose the app states should be collected.
• Limit data sharing only to what is strictly necessary for the purpose of providing the services. This requires checking default data sharing settings of tools provided by third-parties such as Facebook’s SDK or third-party data management tools.

Recommendations for non-EU governments

• Implement effective data protection legislation which complies with internationally recognised data protection standards and aligns with their national and international human rights obligations to protect people’s dignity and autonomy, in order to ensure that the processing of personal data by public and private entities is effectively regulated.

Recommendations for Facebook

• Facebook needs to better explain how it uses the data that it automatically receives through the Facebook SDK, how long the data is stored and if it is being shared. 
• Facebook should do more to offer products and services that make it as easy as possible for developers to protect the privacy of their users by design and by default. For instance, the default implementation of the SDK should not automatically transmit data the second an app is launched. 
• Facebook should take steps to make it easier for people to exercise their data rights on all personal data that Facebook stores, whether they have a Facebook account or not. 

Recommendations for regulators

• Ensure data protection laws are properly enforced.
• Give extra scrutiny to apps that under the pretence of necessity disproportionately collect vast amounts of health data (including sexual health data) and share it without the explicit consent of users.
• Ensure app developers abide by transparency requirement of EU data protection laws.
• Make sure users maintain control over their data and can meaningfully exercise their data protection rights.

Recommendations for users

Even if they will not affect the kind of tracking that we have described in this report, we recommend that people make full use of all existing privacy settings, including:

• Resetting your advertising  ID regularly. This can be found on most Android devices under, Settings > Google > Ads > Reset Advertising ID.
• Limitting ad personalization by opting out of ad personalization in the Android settings. This can be found on most Android devices under, Settings > Google > Ads > Opt out of personalized Advertising

Regularly reviewing the permissions that you have given to different apps and limitting them to what it strictly necessary for the way in which you want to use that App. This can be found on most Android devices under, Settings > Apps or Application Manager (depending on your device, this may look different) > tap the app you want to review > Permissions.