In an unusual case, a national regulator has opted to hold Apple and Google accountable for the practices of software they allowed to be listed on their app stores. A facial image manipulation app called “FaceApp” was penalized in Brazil for massive quantities of improperly disclosed data collection, with the judge ruling that the tech giants each also deserved a fine equal to about $3.1 million simply for allowing the app to be available for download.
App stores penalized for the content of a third-party app
FaceApp is a popular photo and video manipulation app that has been available for about eight years, primarily used to add silly overlays to and “gender-swap” personal photos. It has also taken heat for its data collection practices for years, first criticized in 2019 for its storage of uploaded photos on its own cloud servers and terms of use allowing the company to deploy these photos for “commercial purposes.” The criticism rose to a point that US senator Chuck Schumer called for an investigation into the Russia-based app.
A Brazilian judge recently found that the app’s policies constituted large-scale data theft under the Brazilian Civil Rights Framework for the Internet, even though user consent is technically given before it can be used. In addition to the terms of the “license” that users grant the company being found to be too broad, the judge found that adequate consent cannot be obtained in Brazil when the privacy and use policies are not available in Portuguese.
That sort of ruling is not unusual, but involving app stores is. The judge went on to establish that because Apple and Google “play an active role in the consumer chain,” they share a level of responsibility for the app’s data collection despite having no role whatsoever in its development or operation. Simply allowing it to exist in their app stores has put them on the hook for the equivalent of about $82 USD for each person in Brazil that downloaded the app since June 2020.
While the fine will hardly break either of the two tech titans, the ruling could provide a precedent on data collection that could prove much more costly in the future if applied to everything else made available on app stores. It has yet to be finalized by the courts, and an appeals process is available to each company. Should it stand in the end, it might also prompt legal challenges in other countries along the same lines.
Ruling could force app stores to take much closer looks at data collection policies
Outside of China, app stores are almost never held legally liable for the data collection practices of individual apps unless they are involved with the development or maintenance of that app in some way. Even in the regions with the most stringent data protection regimes, such as the EU, regulators will go after the app for any privacy or data collection violations. In the US, this was solidified with a 2013 court ruling that established Section 230 protections (which shield platforms from liability for user-generated content that they publish) can be extended to app stores. That somewhat bizarre case featured the musical artist Chubby Checker, who sued the Hewlett-Packard app store for carrying a third-party app that made use of his name without his consent.
App stores generally do not face strict legal requirements of any kind in terms of screening the apps they make available for download. They can be held liable for apps that make assorted forms of harmful content available in a number of jurisdictions, however, something that necessitates at least some level of screening prior to listing. But strictly in terms of data collection, screening requirements are much more loose and any scrutiny that developers face from Apple or Google here would be more in the interest of brand protection and customer experience. App stores are thus still something of a “Wild West” in terms of user privacy, requiring consumers to be careful about their device settings and the permissions that they agree to grant.
The data collection issue is also not Apple’s only regulatory problem in Brazil that involves their app store. Competition regulator CADE is currently bringing a case that could require Apple to facilitate sideloading on their devices and open them up to alternative payment systems. Apple won a victory in that case in December when a federal court overturned an injunction that would have required it to implement these changes within 20 days, but the regulator is likely to appeal that ruling. CADE also launched an investigation into anti-competitive practices by Google’s app store in April of last year, followed by a second investigation launched in early December.