Telling people about the uses made of their personal information is probably the most widespread obligation across all data privacy frameworks around the world. This derives from the fact that data
Telling people about the uses made of their personal information is probably the most widespread obligation across all data privacy frameworks around the world. This derives from the fact that data privacy law has always been understood as a means to give people control – or at least a degree of control – over how others use their personal information. Therefore, for individuals to be able to exercise the appropriate level of control, it is imperative that they are first told how their information will be used. So irrespective of whether the use of that information is legitimised by an individual's consent, there is still an overarching obligation to be transparent about personal data uses. Recent developments confirm that this principle is still very much alive in the mindsets of regulators but also that compliance with the transparency obligation – as fundamental as it may be – is not without its challenges.
At one level, the growing use of increasingly sophisticated technology has made the role of privacy notices more crucial than ever before. This is supported by the continuous output from regulatory authorities from all jurisdictions stressing the importance of explaining the uses made of data collected through users' interaction with their devices in a clear and comprehensive manner. In the EU, for example, the Opinions of the prolific Article 29 Working Party on issues like the deployment of cookies, the use of apps in smart devices and more recently in relation to the "purpose limitation" principle, consistently stress that as technology and data uses become more complex, the responsibility to provide a suitable explanation is even greater. This has also been reflected in the proposed European Data Protection Regulation, which contains much more detailed transparency obligations than the current directive. Outside Europe, guidance from the FTC in the USA and the Federal Privacy Commissioner in Canada in relation to mobile data uses emphasises exactly the same message.
The importance of privacy notices does not stop there. The Regional Court of Berlin has recently upheld the claims made by a German consumer protection association against Apple for being too broad brush with their public privacy policy. Apparently, the policy did not spell out specifically enough which uses applied to which types of data. This is an eyebrow raising decision not just because of its potential effect on Apple, but because the structure of Apple's policy is entirely in line with current market practice. In a similar vein, the Global Privacy Enforcement Network – which comprises privacy regulators from all over the world – has launched its Internet Privacy Sweep initiative aimed at reviewing the quality of privacy notices of consumer facing websites globally.
However, the challenges faced by policy makers and data users alike are all too obvious to turn this issue into a simple matter of good notice or bad notice. To begin with, research seems to indicate that only a very small proportion of Internet and mobile users actually read the privacy notices available. As essential as transparency may be, the reality is that understanding an organisation's data uses is not regarded as a priority in the context of accessing a service or making a transaction. In addition, the complexity surrounding current technologies and data usage makes it very difficult for any organisation to explain in plain and clear terms how data will be used for the average individual to understand its implications. On top of this, the size of devices such as smart phones and their applications – let alone glasses, household appliances, GPS watches or any other gadget without a proper screen – present another practical difficulty in terms of making the right amount of information available at the right time and in the right format.
All in all, traditional and unimaginative transparency mechanisms have their days numbered. Long and legalistic privacy notices in particular are unlikely to serve their purpose going forward. Whilst from a pure legal perspective, there is some merit in making sure that all possible information is available, there is a trend supported by at least some regulators to simplify the content of the notices as much as possible. In recent years, regulators have also favoured a layered approach to the provision of privacy notices. The next step in this evolution is the adoption of very short "contextual notices" that explain at the right time and in the right way, how certain user data will be used. These types of notices are probably Internet and mobile players' best chance of providing truly meaningful information when it matters.
In terms of content, the emphasis is likely to shift towards explaining how technology itself makes it possible for certain data to be collected and analysed. In other words, the content of privacy notices will focus more specifically on explaining how the relevant technology works. Looking further into the future, if screen sizes become smaller or disappear altogether, it is likely that some content will be replaced by icons and that privacy notices become akin to "nutritional labels". This is something that should be explored further by identifying key technological factors that may affect someone's privacy – such as the use of cookies, behavioural tracking and location tracking – that could then have their own symbol and a universally accepted intrusiveness grade. Certainly one to think about. The transition from today's predominantly lawyer-driven notices to a more down to earth approach to transparency about data uses will not happen overnight but the process has already started.
This article was first published in Data Protection Law & Policy in May 2013.
At one level, the growing use of increasingly sophisticated technology has made the role of privacy notices more crucial than ever before. This is supported by the continuous output from regulatory authorities from all jurisdictions stressing the importance of explaining the uses made of data collected through users' interaction with their devices in a clear and comprehensive manner. In the EU, for example, the Opinions of the prolific Article 29 Working Party on issues like the deployment of cookies, the use of apps in smart devices and more recently in relation to the "purpose limitation" principle, consistently stress that as technology and data uses become more complex, the responsibility to provide a suitable explanation is even greater. This has also been reflected in the proposed European Data Protection Regulation, which contains much more detailed transparency obligations than the current directive. Outside Europe, guidance from the FTC in the USA and the Federal Privacy Commissioner in Canada in relation to mobile data uses emphasises exactly the same message.
The importance of privacy notices does not stop there. The Regional Court of Berlin has recently upheld the claims made by a German consumer protection association against Apple for being too broad brush with their public privacy policy. Apparently, the policy did not spell out specifically enough which uses applied to which types of data. This is an eyebrow raising decision not just because of its potential effect on Apple, but because the structure of Apple's policy is entirely in line with current market practice. In a similar vein, the Global Privacy Enforcement Network – which comprises privacy regulators from all over the world – has launched its Internet Privacy Sweep initiative aimed at reviewing the quality of privacy notices of consumer facing websites globally.
However, the challenges faced by policy makers and data users alike are all too obvious to turn this issue into a simple matter of good notice or bad notice. To begin with, research seems to indicate that only a very small proportion of Internet and mobile users actually read the privacy notices available. As essential as transparency may be, the reality is that understanding an organisation's data uses is not regarded as a priority in the context of accessing a service or making a transaction. In addition, the complexity surrounding current technologies and data usage makes it very difficult for any organisation to explain in plain and clear terms how data will be used for the average individual to understand its implications. On top of this, the size of devices such as smart phones and their applications – let alone glasses, household appliances, GPS watches or any other gadget without a proper screen – present another practical difficulty in terms of making the right amount of information available at the right time and in the right format.
All in all, traditional and unimaginative transparency mechanisms have their days numbered. Long and legalistic privacy notices in particular are unlikely to serve their purpose going forward. Whilst from a pure legal perspective, there is some merit in making sure that all possible information is available, there is a trend supported by at least some regulators to simplify the content of the notices as much as possible. In recent years, regulators have also favoured a layered approach to the provision of privacy notices. The next step in this evolution is the adoption of very short "contextual notices" that explain at the right time and in the right way, how certain user data will be used. These types of notices are probably Internet and mobile players' best chance of providing truly meaningful information when it matters.
In terms of content, the emphasis is likely to shift towards explaining how technology itself makes it possible for certain data to be collected and analysed. In other words, the content of privacy notices will focus more specifically on explaining how the relevant technology works. Looking further into the future, if screen sizes become smaller or disappear altogether, it is likely that some content will be replaced by icons and that privacy notices become akin to "nutritional labels". This is something that should be explored further by identifying key technological factors that may affect someone's privacy – such as the use of cookies, behavioural tracking and location tracking – that could then have their own symbol and a universally accepted intrusiveness grade. Certainly one to think about. The transition from today's predominantly lawyer-driven notices to a more down to earth approach to transparency about data uses will not happen overnight but the process has already started.
This article was first published in Data Protection Law & Policy in May 2013.