In an increasingly interconnected world, application programming interfaces (APIs) are used to link systems and services together as efficiently as possible. The legal dimension of APIs is still unclear to most people, particularly with regard to the General Data Protection Regulation (GDPR).
The French data protection authority CNIL has published recommendations on this. We explain to companies and developers the obligations regarding the design, implementation, and operation of APIs that are addressed therein.
Application Programming Interfaces
APIs form the backbone of the modern digital landscape. At their core, they are interfaces that enable different software applications to communicate with each other and exchange data. APIs act as a kind of translator between different programmes by enabling the smooth exchange of information.
These interfaces therefore enable companies to create innovative digital solutions. However, as the use of APIs progresses, the questions and concerns relating to data protection are also becoming more pressing.
In its recommendations, the CNIL therefore highlights various aspects of data protection when using APIs. In particular, the CNIL mentions the aspects of privacy by default and privacy by design from Art. 25 GDPR as an important aspect.
API diversity: types and varieties at a glance
In general, APIs can be divided into types, but also into kinds. The distinction between types and kinds of APIs enables a comprehensive view of the API landscape. While the types determine the access context and the target group, the types focus on the type of functions offered and the technical implementation.
Together, these categories offer an almost holistic insight into the diversity of APIs, from access control to functional alignment and technological implementation.
Kinds of APIs
- Open APIs are accessible to the general public and can be used freely by developers. They are often provided by companies or organisations to enable third parties to access their services or data.
- Partner APIs are intended for selected partners or affiliated companies. Access is restricted and usually requires authorisation to ensure that only authorised partners can access it.
- Private APIs are intended for internal use within a company or organisation. Access is restricted to internal developers or specific applications and is not intended for external use.
Types of APIs
- Function-orientated APIs offer functions or services that can be called by developers. Examples of this are web services that provide payment processing or user authentication, for example.
- File-oriented APIs enable the exchange of data in the form of files. One example is an API that enables the exchange of JSON or XML files.
- Protocol-oriented APIs use specific communication protocols to enable data exchange between applications. Examples of this are APIs based on HTTP, REST or SOAP.
- Object-oriented APIs are based on interaction with objects, often providing objects and their methods to perform specific tasks. Object-oriented APIs are usually relevant in programming languages such as Java or Python.
Players in the use of APIs
The CNIL identifies three main actors in the use of APIs: the data owner, the API manager and the data re-user. This differentiation is particularly important for determining responsibilities in the context of data protection.
- The data owner is the person or organisation that has technical and/or organisational control over the data. This can be both the API manager who provides the data and the API user who sends data via the API or performs other actions via it.
- The API manager is the person who manages the technical components on which the data release is based. In most cases, the API manager is also the API provider, but it can happen that they only have a technical role in the implementation of data sharing without being the provider or user themselves.
- A data re-user is any person who wishes to access or receive data via an API in order to use it for their own purposes. Here too, the data re-user can act both as an API user, who retrieves data via the API, and as an API provider, who receives data from owners via requests.
In legal terms, the data owner/controller generally bears the primary responsibility for data processing. However, if the purposes and means of the processing activity are jointly determined, the data controller may also be jointly responsible for the data processing with other actors, in particular with the data re-user.
The API manager, on the other hand, generally acts as a data processor (Art. 28 GDPR) and acts in accordance with the instructions of the data controller and/or the data re-user.
What are the risks of using APIs?
The clear benefits of APIs are offset by risks in various aspects, particularly with regard to data protection. The CNIL mentions aspects such as data minimisation, data accuracy, traceability, governance and data subject rights as well as information security as objectives that should be taken into account as part of the measures to be taken in order to minimise risks.
These objectives are illustrated by a list of factors that the CNIL is focussing on with regard to the use of APIs:
- Type of database access: Read-only or write access.
- Granting of authorisations and conditions for access to data: If access is subject to authorisation, what controls are in place to validate these requests? Security level of the authentication techniques used.
- Type of organisations involved in sharing: technical maturity, European or non-European governance, operational capabilities, etc.
- Other technical and organisational measures planned to improve the security level of the system.
- Level of knowledge of the techniques used and the associated risks.
- Data categories that are accessible via the API: Certain sensitive data within the meaning of 9 GDPR or very personal data (such as bank data or geolocalisation data) are more likely to be the subject of attacks; any data breaches could have more serious consequences.
- Degree of precision of the data/queries: Possibility to access only certain areas or information.
Data protection requirements for APIs
When using APIs, the data protection rights of the data subjects must always be guaranteed. In the recommendation, the CNIL emphasises important aspects that must be taken into account when using APIs with regard to data protection guidelines:
Duty to inform
The CNIL emphasises that participating organisations that share data must provide clear and complete information (Art. 12 et seq. GDPR) about the processing activity of personal data. It is recommended that the traceability measures of APIs, such as logging access, be used to collect information.
In the case of high-risk APIs, data subjects should receive a complete list of data accesses, including time and date stamps. This makes it possible to identify illegitimate accesses. The CNIL also recommends making the list of data re-users available to data subjects. It is recommended to provide comprehensible information on the data shared, the frequency of access and the operations performed.
This information should be updated automatically. Data subjects must be informed individually of any significant changes, particularly in the event of new purposes of use or changes to access restrictions. The CNIL recommends communicating this information directly or at least making it accessible on a website.
Legal compliance in data selection
In order to comply with the current legal requirements for data sharing and to apply the principle of data minimisation, the CNIL recommends that data owners discuss with data re-users the data that is essential for each re-use. This makes it possible to limit the release to this specific data, while complying with all legal provisions on data release. In this context, the following points are emphasised:
- The selection of data categories, their format, their historical depth, their accuracy, their query frequency, the update frequency and any pseudonymisation or anonymisation measures applied should meet the requirements of the intended reuses.
- Once access has been granted, the dialogue between the data owner and the re-users should continue in order to obtain feedback.
- It is advisable to regularly review the data to be released in order to identify data that is no longer relevant and to stop releasing it. The selected data format should be clearly documented to minimise the risk of human or software misinterpretation.
- It is recommended to use a data validation tool to check whether the data exchanged via the API corresponds to the expected format (e.g. compliance with the API description, compliance with the expected data type, membership of a group of permitted values, etc.). This is intended to ensure correctness, completeness and conformity to the defined standards.
- The technical infrastructure, data formats and API query procedures should be closely aligned with the above recommendations to ensure that only relevant data is shared with the respective re-user. This is particularly important if there are different levels of access within a reuse organisation, depending on the security clearance of the individuals involved.
- Finally, in cases where the relevant data categories cannot be precisely identified prior to processing activity, it is recommended that an experimental phase be initiated. This experimental phase should be carried out under real conditions in a so-called sandbox version of the planned technical infrastructure and should be limited as far as possible to fictitious or modified data.
Rights of data subjects
The CNIL’s recommendation emphasises that data subject rights (Art. 15 et seq. GDPR), such as the right of access, rectification, erasure, and data portability, also apply without restriction in the context of the use of APIs when data is transferred. The CNIL recommends that the process of exercising these rights be largely automated to ensure that they can be effectively implemented. In particular, if, for example, consent is withdrawn or the right to object is exercised by a data subject, the API’s technical system should automatically exclude the data concerned from the sharing process.
Access management
For APIs that are subject to restricted access, the CNIL recommends mechanisms that ensure that only authorised users can access the data. This includes the implementation of procedures for authentication and authorisation as well as ensuring a clear assignment of access rights. Limiting access rights to the minimum necessary plays an important role in ensuring the security of sensitive data.
Security
The security of the authentication mechanisms should be guaranteed by robust cryptographic protocols. At the same time, it is important to ensure user-friendliness, for example by providing mechanisms for timely notification of the expiry of access authorisations and for easy renewal of these authorisations.
Internal API management
The CNIL’s recommendation suggests that dedicated governance should be introduced for each of the actors involved who exchange data via APIs. This approach should be documented and regularly monitored to ensure its effectiveness. The documentation, which should be easily accessible to all relevant parties, should formalise the procedures, in particular the emergency protocols to be implemented in the event of a data security incident.
In general, the management of APIs should be part of each actor’s information system security policy. Their integration should be included in existing security procedures, which should be adapted to take into account the specific risks of APIs.
Necessity of a DPIA
The CNIL also reiterates the need for a data protection impact assessment in accordance with Art. 35 GDPR if the data exchange process is likely to pose a high risk to the rights and freedoms of data subjects.
Conclusion
APIs are already being used in numerous applications. However, many data controllers do not realise the scope of the data protection aspects. APIs are often categorised as (technologically) fundamentally secure and are not even taken into account during the audit.
As the CNIL’s publication shows, there are also numerous points to consider with regard to data protection when using APIs. To ensure compliance with data protection requirements, the data protection officer should always be involved in the review process.