GDPR-Relevant Privacy Concerns in Mobile Apps Research: A Systematic Literature Review

TL;DR

This systematic literature review analyzes GDPR privacy concerns in mobile apps, highlighting current research focus areas, identifying gaps such as indirect data collection, and suggesting directions for future studies to enhance privacy compliance.

Contribution

The paper provides a comprehensive categorization of GDPR-related privacy concerns in mobile apps and identifies key research gaps for future investigation.

Findings

Focus on direct data collection, data sharing, and user consent analysis.

Identified gaps in understanding indirect data collection and legal basis impacts.

Calls for research on implementation details for data subject rights.

Abstract

The General Data Protection Regulation (GDPR) is considered as the benchmark in the European Union (EU) for privacy and data protection standards. Since before its entry into force in 2018, substantial research has been conducted in the software engineering (SE) literature investigating the elicitation, representation, and verification of GDPR privacy requirements. Software systems deployed anywhere in the world must comply with GDPR as long as they handle personal data of EU residents. Mobile applications (apps) are no different in that regard. With the growing pervasiveness of mobile apps and their increasing demand for personal data, privacy concerns have acquired further interest within the SE community. Despite the extensive literature on GDPR-relevant privacy concerns in mobile apps, there is no secondary study that describes, analyzes, and categorizes the current focus. Research gaps and persistent challenges are thus left unnoticed. This article aims to provide a comprehensive overview of the existing research on GDPR privacy concerns in the context of mobile apps. To do so, we conducted a systematic literature review of 60 primary studies. Our findings show that existing studies predominantly address three key GDPR-related privacy concerns: (i) the direct collection of personal data from users, (ii) the sharing of personal data with external entities (e.g., third parties) beyond the mobile apps, and (iii) the analysis of user consent as a legal basis for collecting personal data. Our study highlighted research gaps, calling for further research to better understand: (i) the indirect collection of personal data, e.g., data exposed to mobile apps through, e.g., permission requests, (ii) the impact of legal bases beyond consent and how they may affect the development of mobile apps, and (iii) the required implementation details pertinent to data subject rights.