Wednesday, March 27, 2013

Why Johnny can't read...a privacy policy



Why can't Johnny read a privacy policy?  It's because privacy policies aren't being written for Johnny to read.  They're being written for regulators and lawyers to read.  Or well, more fairly, they're being written for Johnny, in the ways that regulators and lawyers think they should be written.  

Today, privacy policies are being written to try to do two contradictory things.  Like most things in life, if you try to do two contradictory things at the same time, you end up doing neither well.  Here's the contradiction:  should a privacy policy be a short, simple, readable notice that the average end-user could understand? Or should it be a long, detailed, legalistic disclosure document written for regulators?  Since average users and expert regulators have different expectations about what should be disclosed, the privacy policies in use today largely disappoint both groups.  

On the one hand, privacy policies are supposed to be disclosure documents for the average end user.  In other words, privacy policies are supposed to be simple, readable notices that are used by any entity that processes personal data to tell their users basic stuff, like what data they collect, how they use that data, whether they transfer that data to any third parties, etc.  In addition, privacy policies are the main mechanism for entities to obtain consent from end users to process their data, even if that consent is often implicit.

On the other hand, regulators around the world, with good intentions, continually call for longer and longer privacy policies (not in those words, of course), by demanding that X, Y, and Z be disclosed.  Whether Johnny cares about X, Y, and Z is irrelevant.  Companies have to disclose X, Y, and Z, or they'll risk regulatory sanctions.  Johnny probably couldn't understand X, Y, and Z anyway, and X, Y, and Z are probably privacy-legal terms of art.  HIPPA is a famous example of legally-required privacy notices that Johnny can't read.  

The time has come for a global reflection on what, exactly, a privacy policy should look like.  Today, there is no consensus.  I don't just mean consensus amongst regulators and lawyers.  My suggestion would be to start by doing some serious user-research, and actually ask Johnny and Jean and Johann.

Tuesday, March 12, 2013

We Need a Better, Simpler Narrative of US Privacy Laws



Ask yourself why a European privacy regulator can propagate the preposterous view publicly that the US has "no effective privacy laws."  And lots of people seem to believe that.  And why does it matter?

On the global stage, Europe is convincing many countries around the world to implement privacy laws that follow the European model.  The facts speak for themselves:  in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws.  Not a single country, anywhere, has followed the US-model.

Indeed, what is the US model?  People in the privacy profession know that the US has a dense "patchwork" model of privacy laws:  every individual US State has numerous privacy laws, the Federal government has numerous sectoral laws, and numerous other "non-privacy" laws, like consumer protection laws, are regularly invoked in privacy matters.  Regulators in many corners of government, ranging from State attorneys general, to the Federal Trade Commission, and armies of class action lawyers inspect every privacy issue for possible actions.   

How on earth do you explain US privacy laws to an international audience?  How do you explain the role of class action litigation to people in countries where it doesn't even exist?  The US privacy law narrative is convoluted.  That's a pity, since almost all of the global privacy professionals with whom I've discussed this issue agree with me that the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy.  (I didn't say "perfect", since laws never are, and I'm not grading them either.)

By contrast, Europe's privacy narrative is simple and appealing.  Its laws are very general, aspirational, horizontal and concise.  Critics could say they're also inevitably vague, as any high-level law would have to be.  But, like the US Bill of Rights, they have a sort of simple and profound universality that has inspired people around the world.  And they are enforced (at least, on paper) by a single, identifiable, specialist regulator. 

Europe does a great job explaining (or marketing, if you prefer).  The US has to figure out how to explain its privacy laws on the global stage. There's more at stake than just prestige.  There's more at stake than just asking why Uruguay, to take a random recent example, looked to Spain, rather than the US, for inspiration as it wrote its recent privacy laws.  What is at stake are important things:  first, trust in US-based companies and trust in the US Government around the world.  People will trust them less if they believe the story-line that they operate in a country with "no effective privacy laws".  And second, hopes to include digital trade in President Obama's initiative for a grand new US-Europe Trade Pact.  The lack of "adequate" US privacy laws is cited by Europeans as a reason why it is illegal to transfer personal data from Europe to the US, which is quite obviously, at least in part, a free trade issue.  Privacy will prove a serious roadblock to any such future trade pact, as long as some people in Europe can argue that the US has no effective privacy laws.  

Privacy is not alone among complicated subjects in need of a simple narrative. Visit a cathedral, if you need inspiration.   

Monday, March 4, 2013

A Glorious Day for a Free Internet in Italy



Just before Christmas, an Italian Appeals Court over-turned the convictions of three Googlers, including myself, for allegedly violating Italian privacy law.  Now, after roughly 2 months, the Court has issued its written opinion to explain its decision.  The Court's opinion is a lucid and ringing endorsement of the principles Google and I have been defending since the beginning of this prosecution 6 years ago:  
  • Intermediary Liability:  The Court held that Internet platforms, like Google Video or YouTube, are not responsible for user-uploaded content, absent notice of inappropriate content.  These platforms also cannot—and should not—be required to pre-screen content that is uploaded to them.  Any efforts to pre-screen content would raise serious risks to users’ freedom of expression.  In the Court's own words:   “Imposing a duty on or granting the power to, an internet provider to carry out prior screening seems to be a step that is to be afforded particularly careful consideration, given that it is not entirely free of risk due to the possibility of a conflict arising with the principles of freedom of expression of thought”.
  • Privacy:  The Court held that people who film and upload videos are responsible for compliance with data privacy laws.  Internet platforms cannot possibly obtain the consent of people appearing in user-uploaded videos.   In the words of the Court:  "it is patently clear that any assessment of the purpose of an image contained in a video, capable of ascertaining whether or not a piece of data is sensitive, implies a semantic, variable judgement which can certainly not be delegated to an IT process".
  • Criminal Responsibility:  The Court recognized the basic legal principle that employees like me could not have the required criminal intent to violate data privacy laws when they had nothing to do with, and weren't even aware of, the alleged criminal data privacy violation.  

This case was never about me at all, as I was just a random and unfortunate vehicle for a broader judicial test of  intermediary liability.  Obviously, I'm relieved personally to be acquitted.  But I'm delighted that this case has generated a clarion legal precedent in favor of freedom of expression.  In particular, I'd like to thank the many people who expressed their support for me throughout these six years, in particular, my numerous colleagues at Google and my stellar team of outside counsel, all of whom worked tirelessly to see these principles prevail.  And I'd like to thank the many people who realized that there were important principles at stake in this prosecution, who added their voices to the policy debate, in Italy and beyond.  This saga is (probably, hopefully) over for me.  

Together today, we can celebrate and applaud this step forward towards a brighter digital future in Italy.