The concept of "online privacy" has become something of a watchword in the technology industry, yet there is no clear answer as to what it is or how it can be effectively protected. This article looks at what online privacy really is, the issues with protecting it under existing data protection legislation, and how these issues will be affected by the new draft, European-wide legislation (the "Regulation") published earlier this month.1
What is online privacy?
What does the term "online privacy" actually mean?
- If you asked the average person on the street ten years ago what "online privacy" meant they might well have cited protection of credit card details and home addresses, probably because these were the personal details that many people at that point were most aware of "putting into" the internet. Nowadays the landscape of data collection and creation has changed dramatically, such that the information to be protected encompasses browsing histories, shopping habits, geographical location, social connections, music tastes, tweets, and in fact almost every aspect of your life that is in any way connected to use of the internet.
Why should online privacy be treated differently from any other form of privacy?
The reason online privacy is regarded separately from any other form of privacy is based on two key factors. It is worth focusing briefly on what these factors are before looking into how the law deals with them.
1. Background usage
The first factor is the ease with which data about an individual collected in the online world can be stored, duplicated and transmitted without that individual's knowledge. A typical example of this is the use of cookies (such as tracking cookies) to collect information on individuals' internet usage. Cookies are now wholly commonplace in the online world, particularly in the area of advertising. Such cookies are in some ways the fuel of the internet, as the advertising revenue generated from their use is the financial backbone of many "free-to-air" web services. The use of targeted advertising also brings benefits to consumers, who receive tailored and relevant advertising.
However, many individuals are simply not aware of the fact that their use of the internet is being tracked by providers of websites they have visited. Much less are they aware of the fact that details about their internet usage – their "online profile" – are often sold to third parties such that individuals receive unsolicited targeted advertising from companies they have had no dealings with.
Regardless of the benefits, this type of behind-the-scenes tracking is something that many consumers find somewhat unnerving, and an infraction on their privacy.2 Should this reaction come as a surprise? After all, if you bought a piece of cheese in a shop, you might not be surprised if the shop owner remembered this and on your next visit told you about a new type of cheese on offer; you might, however, be a little unnerved if you went to a restaurant in a different town a week later and the waiter brought you a menu with only cheese-based dishes on it, because the shop owner had rung ahead to tell the restaurant what you liked. The oddity of this analogy in itself demonstrates the difference between the privacy concerns that are presented by information collection in an online and offline world: a type of information sharing that would be absurd in an offline environment is entirely commonplace in e-commerce, and the measures needed to protect privacy in this setting must accordingly be viewed in a different light.
2. Personal broadcasting
The second factor which distinguishes online privacy from other privacy considerations is the ease and breadth with which individuals can transmit information about themselves, without necessarily any real understanding of the ramifications of doing so. The greatly increased access to communications technology and the meteoric of rise social networks in the last decade has resulted in huge amounts of individuals' personal information being made freely available to truly vast audiences. The lack of understanding that many people have about privacy settings and how their information can be used - whether for legitimate commercial purposes, profiling, job interviews,3 journalism or even crime - is evident. And yet many will react negatively to reuse of that information for purposes they had not intended, or thought of, at the time they shared it. In an offline world the giving of information to friends and acquaintances is of less concern because the impact is so much smaller. Take photo sharing: if you give one, two, even twenty hard copies of a photo of yourself to different acquaintances, the number of people likely to see that photo is incredibly small compared to the potential audience of the same photo posted to an unrestricted social media profile. Again, issues of privacy need to be addressed in a different light given the difference in impact in an online environment.
The element that links these two factors together is the desire that, when we do share information for one purpose, it is not taken and used for some other purpose we didn't know about or approve. This is of course also a tenet of any form of privacy: the difference in an online world is the scale of the impact of a breach of privacy, due largely to the differing technological means of mass information-sharing. It is these means that any legal system seeking to protect online privacy must deal with; the real challenge is to deal with them in a way which does not unduly impede the effective use of technology in society.
Is the DPA sufficient to deal with online privacy?
1. Who is the data controller?
To any lawyer versed in the fundamentals of the Data Protection Act 1998 ("DPA"), the concept of using personal information only for approved purposes is instantly familiar territory. The DPA's core tenet of using personal data only for the purposes for which consent was given by the data subject, should therefore theoretically still be sufficient for the current climate. To a large extent the DPA's framework has coped extremely well with the shifting face of technology and data usage over the past fifteen years. However, where the DPA is now arguably lacking – amongst other things - is in the shift in the identity of the data controller.
When the data protection Directive (EC/95/46) was created in 1995, it was really only large corporates and government departments that had the capacity to store, manipulate and transmit – to "control" - large amounts of information about individuals. As such it was entirely appropriate at that time that regulatory obligations concerning such data were focused on those bodies: they were big enough, and sophisticated enough, to be expected to understand and comply with the regulations imposed on them.
By contrast, individuals are now data controllers of their own personal data in ways which could not have been predicted in the mid-1990s. They are technology-literate, and have ready access to a myriad of facilities to store, manipulate, replicate and transfer huge amounts of both their own personal data and the personal data of other individuals they interact with online. The DPA does exempt the use of personal data for domestic purposes from the scope of its requirements,4 but at the time of Directive the scale of information-sharing practised by individuals for domestic purposes was tiny compared to the level of sharing possible now.
So the DPA does not intervene in individuals' "domestic" activities, but should it now do so in order to protect other individuals' privacy? The risks to privacy are self-evident, but it is not realistic or rational to expect every Facebook-using or internet-surfing individual – or even small emerging companies - to become expert in data protection regulation. Nor does it serve the interests of society as a whole to clamp down on any use of personal data at all. We will look below at the Regulation's response to this anomaly.
2. Quality of consent
The level of consent needed to satisfy the DPA is a complex issue. The variety of methods by which personal information can be used and transmitted is again far beyond the scope of what was legislated for in the mid-1990s. The text of the DPA has again held up remarkably well in its changing landscape. Nonetheless, online commercial practice has in many aspects developed in a manner which technically satisfies the DPA's requirements but is nonetheless unsatisfactory in the context of the spirit of the DPA's core principles.
A good example of this is the recent iPhone location data debacle, when it emerged that Apple were monitoring and storing iPhone users' location data without full disclosure to such users.5 Although this was largely seen as an issue related to a specific and separate category of data, it was really a classic consent issue like any other: had consent been validly obtained for the use which was being made of information relevant to an individual? Yes, Apple could point to their terms and conditions, and in doing so could evidence that their customers had "accepted" the use of this data by accepting those terms and conditions when setting up the phone's software. The question was therefore not "was some level of consent gained", but "was that consent was good enough?" Answering this question ultimately required a common sense interpretation of (i) whether those whose locations had been tracked really knew it was happening, and (ii) what they would think of it if they did. The answer to the first question was almost universally "no". The answer to the second question was, in one case at least, "pretty creepy, but also kind of cool".6
Tracking cookies are another example of the same phenomenon: if an internet user is on a website and has therefore technically accepted its privacy policy - including consents to use of tracking cookies – can we interpret this to mean that they have actually "given their consent" within the meaning of the DPA? Whatever the answer to this question should be, the fact is that huge numbers of web providers have interpreted this type of activity as giving sufficient consent, and entire industries have built been up around this interpretation. The fact that such practices are now so embedded is the result not necessarily of deficiencies in the DPA itself, but in the interpretation and enforcement of it. Location data was seen as a new type of personal data and was therefore picked out for special attention. But the phenomenon is far broader, far more entrenched, and presents real issues for legislators, regulators and businesses.
3. The "right to be forgotten"
This phrase is another watchword in the context of online privacy, but its meaning is again unclear. At its base it is an insistence that individuals should have the right to demand that their personal information is removed from particular databases. However, this is already possible under the existing legislation: a data subject can withdraw their consent to any "processing" of their personal data, and "processing" is so broad a definition that it would encompass even holding a copy of such information i.e. not deleting it. The gap between this technical right and reality lies in the lack of a practical means for an individual to effect such a deletion, given the varied proliferation of the data to multiple unknown parties. Again, this is more a question of interpretation and enforcement of the DPA than a deficiency in the legislation itself. As such, the many discussions on the potential introduction of a "right to be forgotten" are arguably discussions about the better enforcement of an existing right to withdraw consent.
4. Privacy vs publishing - should all aspects of online information-sharing be protected?
It is arguable that not every aspect of information-sharing by individuals can or should be protected by law. Some of the typical examples given in relation to "breaches of online privacy" are where details or photos on a Facebook page, or information on Twitter, are used by journalists, employers or criminals. However, there is a strong argument that in many such cases there is no longer any "privacy" to be breached, as the information has in fact been published, and any right to privacy in respect of that information has been waived.
Similar to the change in the identity of "data controllers" outlined above, changes in technology have occasioned a change in the identity of "publishers". Where a Twitter feed has, for instance, several hundred, or several thousand followers, is the information in that feed still "private" in a way that should be protected, or has it in fact been "published" in the conventional sense of the term? To turn this on its head, if a magazine is available only to a list of 1,000 subscribers, it would surely not be reasonable to claim that any information in that magazine is private and has not been published into the public domain. On the other hand there is clearly an argument that, for example, a Facebook user with a limited number of friends and tight security settings really does have a legitimate expectation that the information they share will not be seen by others. But where is the dividing line between private communication and personalised publication? 25 recipients? 100? 1,000?
Where does this leave the law in relation to protecting the information of those who really do have a legitimate expectation of privacy? Due to the blurriness of the dividing line between private sharing and publication, it will always be very difficult to enforce or even to design a form of regulation that will provide protection only where protection is really needed. To clamp down on any use of such information "published" would raise significant concerns surrounding freedom of speech issues; to allow all such usage would clearly be unsatisfactory. There may be a middle ground involving education of users in the way they transmit information - which may ultimately have the effect of informing individuals of the point at which they lose their right to protection - and several organisations including Vodafone have advocated this approach.7 Privacy by design i.e. designing systems such that the default position is to keep information private and not to disclose it, is also increasingly discussed as a means of mitigating this risk.
Principle vs reality
The obvious difficulty in strict enforcement of the DPA – or of designing any new legislation to protect individuals' rights to control their personal data – is in finding the correct balance between quality of consent and effective provision of desirable functionality. The danger is always that burdening a technological process with excessive consent screens will hamper functionality, usability and increase drop-off rates, in ways which may cause significant damage to certain areas of online commerce.
We have already had a taste of the impact that stricter privacy enforcement may have on the practical functioning of online businesses, in relation to consent-gathering. The Privacy and Electronic Communications (EC Directive) Regulations 2003 impose obligations on website providers using cookies to obtain informed and specific consent from individuals in relation to all the uses of the cookies8. Despite these regulations coming into force just 3 months from now, there is as yet no clear method for obtaining such consent in a way that will satisfy the regulations without some form of pop-up window and check box. The fear is that, through having to obtain informed and specific consent from individuals in this way, drop off rates in surfing will be greatly increased, reducing advertising revenue and therefore the diversity of free web-based services available to consumers. The alternative is to stop using the of cookies themselves, which would have the same or worse effect on advertising revenue, and would simultaneously stop businesses from carrying out important usage analytics. First and foremost, however, constant pop-ups would make internet surfing unbearably cumbersome.
Is there a balance to be struck? On cookies, one suggestion is to apply an objective test to what constitutes "normal usage" of data in the circumstances, and to have to seek specific consent only for usage in excess of that level ("I expect to you to remember what cheese I like when I'm in the shop, but you have to ask me before you start ringing all the restaurants in the UK telling them..."). This might free up the surfing experience for most, whilst removing some of the more unnerving aspects of current data sharing. Sadly, however, this does not appear to be the approach taken in the Regulation (see below).
However, in all aspects of online privacy, legislators and regulators need to be acutely conscious of the potential detriment that strict enforcement of principles may have. There will be many circumstances in which the strict insistence on privacy will undo some of the great benefits that information usage can bring, without conveying any real benefit on the individual and in fact bringing disadvantages to the very people it is trying to protect.
The Regulation's approach to online privacy
Firstly, it should be clarified that the Regulation9 is currently only in draft form, and it will be some time before it becomes law (the current DPA emerged only 5 years after a proposal of this type).
Nonetheless, the draft makes for interesting reading. In relation to the issues outlined above, it:
- explicitly exempts individuals from the requirements of the Regulation10 – thereby moving away from the idea of "everyone is a data controller";
- exempts "micro, small and medium-sized enterprises" from many of the more onerous requirements of the Regulation – thereby intending to remove some of the compliance barriers from the path of emerging enterprises11;
- requires data controllers to implement "privacy by design"12 – this may help to overcome in practice some of the issues with unintentional personal publishing;
- requires "specific, informed and explicit" consent13 in relation to the use of personal data – thereby giving consumers greater control over their personal information, but potentially damaging large swathes of the online world.
The clear indication at the moment then, is that privacy is the primary priority and large businesses are to foot the bill for it, regardless of the difficulties this may pose to the smooth running of the online world. This is a welcome development to privacy campaigners, but is it a little heavy-handed and contradictory?
The fact that individuals and small companies are exempted from the full requirements of the Regulation is surely a good idea on a practical level, as it is taking some of the compliance obligation away from individual data controllers and placing it once again on those entities which are big enough and sophisticated enough to be able to do something about it. But surely these exemptions mean that some of the issues of online privacy, as breached by individuals and small companies, will persist. This is probably a necessary evil, and is a welcome development in terms of practicality. However, it is nonetheless a compromise, and jars awkwardly with the uncompromising enforcement of consent-gathering for large businesses no matter what the commercial consequences.
The online world is famously adaptive. To an extent the new Regulation is simply a stricter re-stating of existing principles, unravelling some of the departures from the DPA which have damaged the public's feeling of privacy on the net. But one cannot help but wonder if, by stamping out the "creepy", we might also lose some of the "cool".
Footnotes
1 Full text available at:
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
2 Research carried out by Which? revealed that half the respondents felt that online behavioural advertising was an invasion of their privacy, quoting reasons such as feeling like they were being spied on, and worries that the information would be passed on to third parties and/or used in ways they did not know about.
3 Research commissioned by Microsoft in 2009 found that 41% of recruiters/employers have rejected candidates based on information found on-line; 80% of recruiters/employers have concerns about the accuracy of the information they find on-line; but only 68% say that take steps to check it. The major reasons for rejecting candidates included inappropriate things written by the candidate; unsuitable videos, photos etc.,
concerns about the candidate's lifestyle; comments criticising previous employers etc..
4 Section 36 DPA
5 http://www.bbc.co.uk/news/technology-13145562
6 http://www.bbc.co.uk/blogs/thereporters/rorycellanjones/2011/04/iphone_tracking_creepy_cool.html
7 See http://support.google.com/a/bin/answer.py?hl=en&hlrm=en&answer=60762, page 9, 4th para
8 Section 6, Privacy and Electronic Communications (EC Directive) Regulations 2003. See also http://www.kemplittle.com/OurEvents/EventsDownloads/2012-01-25_%20Article_Analytic%20and%20consumer%20targeting.pdf for further detail, paras 23 to 26.
9 Full text available at:
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
10 Recital 15 and Article 2(2)(d)
11 For instance, such enterprises are in most cases exempt from the requirement to have a data protection officer – Article 35(1)(b)
12 Article 23
13 Recital 25 and Article 4(8)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
