Question 22
Domain 3 — Privacy Architecture and Data Protection by DesignWhich of the following is MOST important when designing application programming interfaces (APIs) that enable mobile device applications to access personal data?
Correct answer: C
Explanation
APIs that let mobile apps access personal data must be built around user permission because personal data is protected information. Privacy rules generally require that data be shared only with the user’s authorization, so "user consent to share personal data" is the key design requirement. Without consent, the API would expose data unlawfully.
Why each option is right or wrong
A. The user’s ability to select, filter, and transform data before it is shared
Granular data controls are helpful privacy features, but they do not replace explicit user permission.
B. Umbrella consent for multiple applications by the same developer
Broad consent across multiple apps is usually too expansive; consent should be specific and informed.
C. User consent to share personal data
The controlling privacy principle is that personal data may be processed or disclosed only with a lawful basis, and for app-to-API access the relevant basis is the data subject’s consent under GDPR Article 6(1)(a) and Article 7. Consent must be freely given, specific, informed, and unambiguous, so the API design has to enforce explicit authorization before any personal data is returned. In mobile contexts, this is the first gatekeeper requirement; without it, the interface would permit unauthorized disclosure of protected data regardless of technical functionality.
D. Unlimited retention of personal data by third parties
Indefinite third-party retention conflicts with data minimization and privacy-by-design principles.