Telling people about the uses made of their personal information is probably the most widespread obligation across all data privacy frameworks around the world. This derives from the fact that data privacy law has always been understood as a means to give people control – or at least a degree of control – over how others use their personal information. Therefore, for individuals to be able to exercise the appropriate level of control, it is imperative that they are first told how their information will be used. So irrespective of whether the use of that information is legitimised by an individual’s consent, there is still an overarching obligation to be transparent about personal data uses. Recent developments confirm that this principle is still very much alive in the mindsets of regulators but also that compliance with the transparency obligation – as fundamental as it may be – is not without its challenges.
At one level, the growing use of increasingly sophisticated technology has made the role of privacy notices more crucial than ever before. This is supported by the continuous output from regulatory authorities from all jurisdictions stressing the importance of explaining the uses made of data collected through users’ interaction with their devices in a clear and comprehensive manner. In the EU, for example, the Opinions of the prolific Article 29 Working Party on issues like the deployment of cookies, the use of apps in smart devices and more recently in relation to the “purpose limitation” principle, consistently stress that as technology and data uses become more complex, the responsibility to provide a suitable explanation is even greater. This has also been reflected in the proposed European Data Protection Regulation, which contains much more detailed transparency obligations than the current directive. Outside Europe, guidance from the FTC in the USA and the Federal Privacy Commissioner in Canada in relation to mobile data uses emphasises exactly the same message.
However, the challenges faced by policy makers and data users alike are all too obvious to turn this issue into a simple matter of good notice or bad notice. To begin with, research seems to indicate that only a very small proportion of Internet and mobile users actually read the privacy notices available. As essential as transparency may be, the reality is that understanding an organisation’s data uses is not regarded as a priority in the context of accessing a service or making a transaction. In addition, the complexity surrounding current technologies and data usage makes it very difficult for any organisation to explain in plain and clear terms how data will be used for the average individual to understand its implications. On top of this, the size of devices such as smart phones and their applications – let alone glasses, household appliances, GPS watches or any other gadget without a proper screen – present another practical difficulty in terms of making the right amount of information available at the right time and in the right format.
All in all, traditional and unimaginative transparency mechanisms have their days numbered. Long and legalistic privacy notices in particular are unlikely to serve their purpose going forward. Whilst from a pure legal perspective, there is some merit in making sure that all possible information is available, there is a trend supported by at least some regulators to simplify the content of the notices as much as possible. In recent years, regulators have also favoured a layered approach to the provision of privacy notices. The next step in this evolution is the adoption of very short “contextual notices” that explain at the right time and in the right way, how certain user data will be used. These types of notices are probably Internet and mobile players’ best chance of providing truly meaningful information when it matters.
This article was first published in Data Protection Law & Policy in May 2013.