Privacy 2.0

The Data Protection Act (DPA), which is the backdrop for privacy protection in Europe, was born in the pre- web2.0 era; before the innovation of social media. New challenges are being posed by new technologies and one study (by RAND) commissioned by the Information Commissioner’s Office (ICO) last year concluded that, “in an increasingly global, networked environment, the Directive [which the DPA is based on] will not suffice in the long term.”

In this respect, last week the EU Commissioner announced that privacy reform was back on the top of the agenda for this year.
She mentioned the changes envisaged will be based on the pillars of transparency; privacy as default; protection regardless of data location and the right to be forgotten.

Pillars of reform
Transparency or the ‘openness principle’ is a pre-requisite to building trust on the internet and is an agreed necessity voiced by data protection commissioners (see chapter 10 ).   According to the RAND report “where and how personal information is stored and used is becoming increasingly opaque due to technological advances”.

The ‘Privacy as Default’ approach described by the Commissioner aims to make it easier for individuals’ to configure their privacy settings on social networking sites – a possible reaction to the controversy last year surrounding Facebook’s settings (see previous post)

The Commissioner considers the same principle of ‘Privacy as Default’ could also be used to control the collection of data by software applications. This view is consistent with the proposed changes to cookies law due to be implemented where the starting principle is that consent is required every time a cookie is used (although there are exceptions).

The EU Commissioner wants EU citizens to be protected regardless of where their data is processed: “Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.” Currently companies ‘established’ in the EU are subject to the Act. It is not clear, short of an international treaty, how the EU intends to protect EU citizens outside of its jurisdiction. From looking at the report of the Commission in November 2010, they seem undecided yet how this will happen in practice.

Lastly and more intriguingly is the so-called ‘right to be forgotten’.

The EU Commissioner refers to the ambition behind this right as being “a comprehensive set of existing and new rules to better cope with privacy risks online”. Individuals will be given the “right – and not only the “possibility” – to withdraw their consent to data processing.”

Although it is not yet clear what the scope of this right will entail, there have already been some doubts surrounding its practicability. The New Scientist have commented “Once you put something online it can easily be copied and widely distributed, and deleting the original will do nothing to stop people finding a copy elsewhere ”.

Also, an interesting consideration is what would happen when a right to be forgotten implicates third parties. Say for instance, I take an unflattering photo of you at a party upload it on Facebook and tag you. As I am tagging you with the photo this become personal data which Facebook is processing.

If, under this new right to be forgotten, you decide to withdraw your consent to have your data processed will Facebook have to remove it from my photo album? If this is the case then immediately social media sites will be drawn into mediating between people exercising the right to be forgotten and the rights of others who are affected by that right.
Although the principles announced by the Commissioner seem to be reasonable and needed, it remains to be seen what exactly is being proposed and how they intend to deal with the practical issues raised.