Automated GDPR compliance assessment for cross-border personal data transfers in android applications

The General Data Protection Regulation (GDPR) aims to ensure that all personal data processing activities are fair and transparent for the European Union (EU) citizens, regardless of whether these are carried out within the EU or anywhere else. To this end, it sets strict requirements to transfer personal data outside the EU. However, checking these requirements is a daunting task for supervisory authorities, particularly in the mobile app domain due to the huge number of apps available and their dynamic nature. In this paper, we propose a fully automated method for assessing the compliance of Android apps with the GDPR requirements for cross-border personal data transfers. We have applied the method to 4593 apps from the Google Play Store discovering that nearly half of the ones sending personal data are potentially non-compliant with GDPR requirements. These results reveal that there is still a very significant gap between what app providers do in practice and what is intended by the GDPR.