Business Implications Of Privacy Law

On Tuesday, I had the pleasure of presenting to the Ctrl-Shift conference arranged for MesInfos, the French equivalent of the Midata initiative, which encourages businesses to allow consumers to download their own personal transaction data. My short presentation is embedded below. 

The ensuing discussion confirmed some critical differences between the continental and British legal landscapes. The most fundamental is the difference in citizens' expectations of the civil law and common law frameworks, on which I've commented before in the context of identity. The citizens of civil law countries expect the authorities to specify in regulation how something new may be done. Whereas the common law is expected to follow commerce - so people first agree contractually how something may be done and rely on judges to solve problems in the courts - Parliament is only there to pass laws where judges can't help. Accordingly, civil law comprises civil codes or legislation made by the state, whereas a significant amount of the law in common law countries effectively comprises judicial decisions and the contractual franeworks to which they relate. 

As a result, contracts in civil law countries can be shorter, as they only need to spell out how the parties intend to modify the operation of the civil code, where that is possible - and attempts at such modification are viewed with some suspicion. But in common law countries, contracts tend to be more involved yet more readily agreed since they are heavily relied upon as the first attempt to agree how something should be done. 

Not only do these differences have significant implications for the pace of innovation in Europe as opposed to, say, the US. But they also help explain why the European Commission's (civil law) approach to life is viewed as such a drag in the UK, which doesn't have the power to ignore it. 

The approach to privacy policies is a case in point. In the online world in particular, not only have global terms of service effectively operated as the only form of enforceable international law (witness US government reliance on the terms of PayPal etc to try to control WikiLeaks), but privacy policies underpin numerous advertising-dependent business models and effectively specify how privacy works. That is something European regulators view with distaste. They believe state-made  law should specify how privacy works, and the role of contracts should be limited to merely obtaining fully-informed consent in relation to specific facts involving the use of data. The mind-numbing 'cookie law' is the product of such pompous thinking.

The incontrovertible fact remains that commerce will grind to a halt if we are to wait for the authorities to dictate the pace and shape of innovation. Life is what happens while you're making plans. The European Commission's far-reaching "General Data Protection Regulation" will be another two years in negotiation. In the meantime, businesses and their customers in the common law world will continue to hammer out their own agreements on how things should work.

Somehow the two approaches need to coincide to enable the same, consumable result.

Business implications of evolutions in privacy law mes infos 23 04 12 - simon deane-johns

View more presentations from Simon Deane-Johns.

You Want Eggs With Your Privacy Regulation?

Well, the EuroZerozone may be disintegrating, but the European Commission is certainly doing its best to cement over the obvious cracks in the single market fantasy. Now we need more regulation of... privacy.

As with everything else that Brussels churns out, this breakfast had its origins in the primordial soup of the "Social Dialogue" and various talkfests that are helpfully identified by the city in which they were discussed. This time around something seems to have happened in Stockholm in 2009, for example. At any rate, you'll be so impressed by the rich pedigree of the grandly named:

"Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the protection of individuals with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation)"

that you'll gratefully submit to the wisdom of our European overlords.

As for me, I just can't wait to roll my sleeves up and get to grips with the detail... the "right to be forgotten", "data portability", "data protection by design and by default", the logging/reporting of personal data security breaches, personal data processing impact assessments, prior consultation and regulatory consent for potentially risky processing; not to mention enhanced internal controls, enforcement and compliance burdens, including the appointment of a data protection officer.

No, really.

Honest.

Just as soon as I've got my head around the idea that "Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller" (Article 7(4)).

How can we really be sure there has been consent to anything?

Would You Like A Cookie?

The law that applies to ‘cookies’ is changing with effect from 26 May 2011. Within a year from that date, not only must the user be given clear and comprehensive information about the purposes of cookies and use of the data they collect; but cookies can also only be placed on the user’s device after the user has given his or her consent. There is an exception where such storage or access is strictly necessary for the provision of a service that has been requested by the user (as well as where the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network). The UK Information Commissioner has issued guidance on how to comply.

How best to obtain consent?

This is likely to vary according to the type of cookie being set and the use to which the information is put. Cookies may be either "Session” cookies, which are temporary and deleted as soon as the user closes his or her browser; or "Persistent” cookies, which are stored on the user’s device hard drive until they expire or are removed. Where a persistent cookie is set, the consent only needs to be obtained prior to it being set the first time.

Of course, users can configure their browser to warn them whenever a new cookie is about to be stored; clear the cookies that have previously been set; and/or block specific cookies in advance. Or they can choose not to visit a website or use a service whose cookies they don’t want to receive. However, the Information Commissioner has found that most browser settings are not sophisticated enough to allow the service provider to assume the user has given his or her consent to allow your website to set a cookie. So, the Commissioner has advised that consent must be obtained in some other way.

If you are changing your terms for the use of your web site or web-based service, you have to make users aware of the changes and specifically that the changes refer to your use of cookies. You then need to gain a positive indication that users understand and agree to the changes. This is most commonly obtained by asking the user to tick a box to indicate that they consent to the new terms. Where a third party sets its own cookies or similar technologies onto “your” users’ devices, you will need to ensure your users’ consent is obtained either by you or the third party.

For sites with subscribers who must log-in to gain access, you could prompt the user to agree amendments to your privacy policy to cover the use of cookies at time of next log-in. More challenging is how to obtain consent to cookies from users who don't log-in or necessarily interact with your site in a way that would enable you to display terms of consent that could be agreed. The Information Commissioner has suggested that web site owners “place some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when you want to set a cookie on the user’s device. This could prompt the user to read further information (perhaps served via the privacy pages of the site) and make any appropriate choices that are available to them.”

Whichever way you decide to meet the challenge, you'll need a psychiatrist on standby for your digital design team ;-)

Image from Jefferson Park.