CREATe Working Paper 2014/15
Lilian Edwards and Wiebke Abel (2014)
Executive Summary
In the wake of the Snowden revelations about covert state access to consumer data stored in the cloud, consumer confidence about the handling of their personal data in the Cloud in particular, and in digital services in general, has suffered a severe blow. This is particularly true in Europe, where in general consumers expect a higher standard of privacy protection than in the US, both by law and as a matter of cultural norms.
Accordingly this report was commissioned to examine two possible paths for UK industry to re-establish consumer trust and confidence in the cloud, and in consumer digital services in general.
First, we consider the use of icons and labelling as a means to more effectively communicate complex and lengthy privacy policies to consumers.
Secondly, we assess the use of standardised contract terms or templates in relevant business-to-consumer (B2C) markets, and ask if these might be helpful in relation to industries which collect and use personal data.
Iconography and labelling
In the first section, this report surveys existing examples where iconography and labels have been used to support consumers to make informed decisions about complex factual or legal matters. In particular, we survey prominent use-cases where information about personal data collection and use has been made more accessible to consumers by representing privacy policies via icons and labels.
The key findings and recommendations from this part of the analysis are:
- Icons and labels both have a long history of helping communicating complex factual information in an easy-to-grasp way to consumers. This is true in “off-line” contexts, such as, notably, energy use by applications, laundry instructions and nutritional labelling; and in the digital world, such as the use of Creative Commons icons to indicate the permissions given by the creator of a copyright work.
- Empirical research about applying these techniques to privacy policies is mainly limited to academic work, but some detailed icon sets have already been devised eg Prime Life, Privacy Icons Software.
- There is some evidence that user understanding of privacy policies is enhanced by using icons and labels as well as conventional legal text (a “multi layered” privacy notice approach). However this hypothesis has not really been tested “in the wild” due to lack of uptake of existing schemes to date.
- Hard choices have to be made about exactly what features a privacy icon scheme indicates, given the need to provide simplicity at the expense of legal detail. Furthermore, existing offline schemes largely provide descriptive information (eg “number of calories”), not legal assessments (“processing fair and lawful”). Existing schemes vary from one very simple icon to complex sets involving up to 30 icons in various states.
- Labelling schemes can give more information than icons, but may become correspondingly more confusing with information overload for users.
- Icon sets or labels can be devised for discrete industry sectors (eg email, social networks) rather than all data processing, which may help reduce the icon set or information overload.
- Entirely market-driven self-regulatory schemes such as the Platform for Privacy Preferences (P3P) have failed in the past, because of lack of sufficient incentives for both consumers and industry to take part, leading to a crucial failure to achieve critical mass. Achieving consumer mass for consumer recognition would be crucial to the success of any icon scheme for privacy. No current scheme has (yet) achieved this visibility. Governmental involvement in (co-)promoting schemes might help overcome this market hurdle. “Iconifying” privacy policies (and maintaining such) is also time consuming for industry: automatic generation tools as with CREative Commons may help.
- “Offline” examples have found that a standardised graphical approach across multiple national jurisdictions is best for successful implementation and consumer recognition. This may be difficult to achieve in a field such as privacy, where laws (and regulatory oversight) are very different globally, and yet access to services is multi-jurisdictional.
- If a system was to indicate legal (or more than minimum legal) compliance to EU users to increase trust and confidence, then again difficult issues of jurisdictional locality (both of user, and service) would arise.
- Some kind of independent audit and/or complaint process, with appropriate sanctions, would also help instill trust by guaranteeing that service providers were actually implementing their privacy claims. This might be provided by working with the existing DPAs (the Information Commissioner in the UK) or by putting an independent industry ombudsman in place.
Standard contracts
The second section of this report surveys proposals for standard contract templates or “regulated privacy policies”.
The key findings are:
- Standard contracts or clauses are a recognised means to ensure that consumers are sufficiently protected against industry standard terms or service level agreements that are unfair and/or significantly weighted in favour of the provider. In the EU, control of unfair terms in B2C contracts by law is already an accepted norm.
- Standard terms and contracts are already used to implement data protection guarantees into contracts where there is export of personal data outside the EU. While only one strategy to achieve legal compliance in this area, this is by far the most popular industry choice. Standardised privacy policies have also been partly introduced in the US in the area of financial services.
- These privacy strategies were both initiated by government intervention (mandatory law). However it is also possible that industry “soft law” could create such regulated privacy policies for industry sectors, with sufficient incentives.
- However, standardisation of contracts and terms, in the context of global data flows, probably has the greatest impact if it is harmonised at international level. This again might be done by law (international treaty), by industry groups, or by standard setting bodies such as ISO.