20 July 2012

Privacy Notices

Recent posts in this blog have referred to frameworks for consent in online transactions and notions of 'visceral notice'.

'What happens to my data? A novel approach to informing users of data processing practices' by Bibi van den Berg & Simone van der Hof in (2012) 17(7) First Monday notes that -
Citizens increasingly use the Internet to buy products or engage in interactions with others, both individuals and businesses. In doing so they invariably share (personal) data. While extensive data protection legislation exists in many countries around the world, citizens are not always aware (enough) of their rights and obligations with respect to sharing (personal) data. To remedy this gap, users ought to become better informed of companies’ data processing practices. In the past, various research groups have attempted to create tools to this end, for example through the use of icons or labels similar to those used in nutrition. However, none of these tools have gained extensive adoption, mostly because it turns out that capturing privacy legislation in simple, accessible graphics is a complicated task. Moreover, we believe that the tools that were developed so far do not align closely enough with the preferences and understanding of ordinary users, precisely because they are too ‘legalistic’.
In this paper we discuss a user study conducted to gain a better understanding of the kinds of information users would wish to receive with respect to companies’ data processing practices, and the form this information ought to take. On the basis of this user study we found a new approach to communicating this information, in which we return to the OECD’s Fair Information Principles, which formed the basis for (almost all) data protection legislation. We end the paper with a rudimentary proposal for an end user tool to be used on companies’ Web sites.
They comment that -
One of the interesting findings of the survey we conducted (section 1) was that the informational wishes of end users neatly align with the requirements laid down in data protection law: end users tend to want to be informed of the same information processing issues (what information is processed, passing information on to third parties, processing purposes etc.) as the legal demands that companies need to meet. On some level, of course, this is not surprising: if all goes well legal requirements mirror the demands of the people they aim to protect, or at least align with these demands. However, other attempts at improving the accessibility of privacy statements, or companies’ data collection and processing practices, have never started from this finding. As we have seen, for example in the icons developed in the PrimeLife project, these generally start from the assumption that the intricacies of data protection legislation have to be communicated — in great detail — to end users to inform them of the many, many hazards and pitfalls they may (legally) encounter when sharing data in online environments. In contrast, our survey reveals that end users’ expectations remain at a much more general, and much less legally detailed level. 
This led us to the idea of going back to the origins of (almost all) of the data protection legislation that is available today: the OECD Guideline, composed in 1980, on the ‘Protection of privacy and transborder flows of personal data’, also known as the Fair Information Principles. These Principles form the basis of the European Data Protection Directive, along with most of the data protection legislation of the Member States. There are eight basic principles in the OECD Guideline, ranging from a Collection Limitation Principle (also known as the data minimization principle: one can only collect those data one needs to complete a certain action, and no more than that), the Data Quality Principle (data should be accurate and up to date), and the Purpose Specification Principle (data may only be collected and processed for specified purposes). 
As said, the survey revealed that users look for precisely these types of information when engaging with companies who set out to collect and process their data. This is why we rephrased the key principles in the OECD Guideline in everyday language and used those as our starting point. 
In the previous section, we concluded that many of the existing initiatives to improve the communication of privacy policies either provided too much information at a single glance for end users to process (icons, labeling) or too little (the Privacy Bird). To avoid this, we decided to opt for a layered approach, which does contain all the information an end user may wish to receive, but not at first glance. Moreover, we decided to use words rather than a single image such as the Privacy Bird to avoid oversimplification. We placed eight core concepts, related to the Fair Information Principles, on the spokes of a wheel .... This wheel can be placed on a company’s Web site .... Clicking the wheel makes the spokes rotate, so that each of the eight topics can be studied by end users should they desire to do so. 
The spokes have the following labels:
Limited collection: this is the OECD’s ‘Limited Collection Principle’ 
Data quality: this is the ‘Data Quality Principle’ 
Clear purposes: this is the ‘Purpose Specification Principle’ 
Limited use: this refers to the fact that data shall not be used for purposes other than the ones specified, but also to the fact that data shall be stored for a limited period of time. 
Safe & secure: this refers to the OECD’s Security Safeguards Principle, which stipulates that data should be stored in a safe and secure way. 
Consent: this is actually not a part of the Fair Information Principles, yet has become a key feature of existing data protection legislation, which is why we chose to create a separate label for it. If this demonstrator were to be developed further into an online tool, to be posted on companies’ Web sites, one could imagine that clicking this spoke would not only give end users access to the stored consent form regarding their data, but possibly even a direct means to change or revoke their consent. 
Third parties: this also is not an explicit part of the Fair Information Principles, yet plays an important role in existing data protection legislation. Moreover, the survey revealed that users attach great value to being informed about whether or not their information is passed on to third parties. This is why we created a separate spoke for this theme. 
Hold us accountable: this refers back to the OECD’s Openness and the Accountability Principle, which states that users ought to have the right to hold a data controller accountable, and have insight into what data is processed and by whom.
We have chosen these labels because they are intuitive and easy to understand — even if end users do not click on the spokes to find out more information, they are still informed of a company’s data collection and processing practices on a minimal level. 
Clicking on the wheel enlarges the image. Next, clicking on the individual spokes enables users to access second and even third layers of information, where they receive more and more in–depth information about each specific aspect of the processing. The information becomes more ‘legalistic’ with every layer the end users access. What’s more, in some cases end users may even exercise their rights directly through the use of this tool