![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
Privacy notices are instruments that intend to inform individuals of the processing of their personal data, their rights as data subjects, as well as any other information required by data protection or privacy laws. The goal of this paper is to clarify the current discourse regarding the (in)utility of privacy notices, particularly in the context of online transactions. The perspective is a European one, meaning that the analysis shall be geared towards the European Data protection framework, particularly the European Data Protection Directive. The paper discusses the role that privacy notices play under the European data protection framework today, summarizes the main critiques regarding the use of privacy notices in practice and develops a number of recommendations.
Acknowledgements
This paper has received partial funding from the project Security and Privacy in Online social Networks (‘SPION’), funded by IWT (www.spion.me). It has also received partial funding from the Flemish research institute iMinds (www.iminds.be).
Notes
1. This paper will make use of the term ‘privacy notices’ instead of ‘privacy policies’ in order to avoid terminological confusion (the term ‘privacy policy’ is also frequently used in reference to documents that are internal to an organization and which detail the objectives, rules and/or controls it has adopted in order to satisfy data protection and privacy requirements). By using the term ‘privacy notices’, we hope to make clear that we are talking about public-facing documents.
2. See for example ‘Letter from Article 29 Working Party to Google regarding their new privacy practices’, May 16 2007, available at http://ec.europa.eu/justice/policies/privacy/news/docs/pr_google_16_05_07_en.pdf; Federal Trade Commission, ‘In the matter of Facebook Inc’, 29 November 2011, available at http://www.ftc.gov/opa/2011/11/privacysettlement.shtm; Data Protection Commissioner of Ireland, ‘Facebook Ireland Ltd - Report of Audit’, 21 December 2011, available at http://dataprotection.ie/documents/facebook%20report/final%20report/report.pdf and Office of the Privacy Commissioner of Canada (OPC), ‘Facebook agrees to address Privacy Commissioner's concerns’, 27 August 2009, http://www.priv.gc.ca/media/nr-c/2009/nr-c_090827_e.asp (all last accessed 21 April 2013).
3. Directive 95/46/EC on the protection of individuals with regards to the processing of personal data and on the free movement of such data, Official Journal of the European Union, no L 281, 23 November 1995, 31–50. Hereafter also referred to as ‘Directive 95/46/EC’ or simply ‘the Directive’.
4. The Directive defines a ‘controller’ as the entity who alone, or jointly with others, ‘determines the purposes and means’ of the processing (article 2(d)). Within the regulatory scheme of the Directive, the controller is the entity that carries primary responsibility for ensuring compliance with the substantive provisions of the Directive. For a critical analysis see Van Alsenoy (Citation2012).
5. Article 29 Data Protection Working Party, ‘The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data’, WP 168, 2009, 17.
6. These provisions address two different scenarios, respectively: one in which the information is obtained directly from the data subject (art. 10), and one in which the information is collected indirectly (i.e. from an entity other than the data subject) (art. 11).
7. The use of plural ‘purposes’, in Articles 10–11, implies that the data subject has to be informed not only about the main purpose to be accomplished, but also about any secondary purposes for which the data will be used. See also (Korff Citation2010), commenting on the relevant provision of the German Data Protection Act, which uses the term ‘purposes’ as well.
8. Art. 10-11, 1, c (emphasis added).
9. Member State laws vary considerably with regard to the kinds of information that must actually be provided in order to ensure fairness of processing. Sometimes the examples given in the Directive are repeated, other times somewhat different examples are included, and sometimes there are no examples at all. (See Article 29 Data Protection Working Party, ‘Opinion on More Harmonised Information Provisions’, WP100, 25 November 2004, 3.)
10. Obviously derogations may be necessary (e.g., in the course of undercover operation). However, these derogations must be established pursuant to the provisions of the Directive (unless of course, the processing operation falls outside of its scope altogether).
11. See Zarsky (Citation2004) and Hildebrandt and Koops (Citation2010, 449). While the duty to inform data subjects is only one of several transparency obligations, it may nevertheless provide the individuals concerned with a first insight into the controller's data processing operations.
12. Brandeis (Citation1913) has lauded the regulatory effect of transparency as follows: ‘Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.’
13. See also Foucault (1995, 202–203): ‘He who is subjected to a field of visibility, and who knows it, assumes responsibility for the constraints of power; he makes them play spontaneously upon himself; he inscribes in himself the power relation in which he simultaneously plays both roles; he becomes the principle of his own subjection’.
14. See for example Federal Trade Commission (FTC), ‘Protecting Consumer Privacy in an Era of Rapid Change – Recommendations for Businesses and Policymakers’, FTC Report, March Citation2012, 61, available at http://www.ftc.gov/opa/2012/03/privacyframework.shtm (last accessed 21 April 2013). Accountability is a concept with many dimensions, meaning very different things to different people. For more information regarding accountability as a principle of data protection see Alhadeff et al. (Citation2012, 49–82).
15. See also section 4.1. Accountability by way of notice is perhaps clearest in the United States, where the Federal Trade Commission's enforcement actions under section 5 of the FTCA are directly correlated to the statements made by companies (as failure to adhere to stated practices is considered an ‘unfair’ or ‘deceptive’ trade practice). See Baumer et al. (Citation2004, 402).
16. Data subject consent also figures in article 8, which concerns the processing of special categories of data. This provision stipulates a general prohibition which needs to be ‘lifted’ before the processing can be justified. For example, article 8, 2, e) lifts the general prohibition for data ‘made manifestly public by the data subject’. The public nature of such data does not, however, exempt the controller from the obligation of securing a legitimate basis for the processing under article 7. Similar considerations apply with respect to the role of consent for cross-border transfers under article 26 (consent may serve to lift the general prohibition of transfer to jurisdictions which have not (yet) been subject of an adequacy finding, but this is in principle independent of the legitimacy of processing).
17. See Article 29 Data Protection Working Party, ‘Opinion 15/2011 on the definition of consent’, WP 187, 2011. For a detailed analysis of the requirements of consent, see Kosta (Citation2013).
18. Kosta (Citation2013, 159 et seq); Article 29 Data Protection Working Party, ‘Opinion 15/2011 on the definition of consent’, WP 187, 2011, 11–12.
19. Kosta (Citation2013, 169 et seq); Article 29 Data Protection Working Party, ‘Working Document on the processing of personal data relating to health in electronic health records (EHR)’, WP 131, 15 February 2007, 9. See also Article 29 Data Protection Working Party, ‘Opinion 15/2011 on the definition of consent’, WP 187, 2011, 12-17.
20. Kosta (Citation2013, 219 et seq); Article 29 Data Protection Working Party, ‘Working Document on the processing of personal data relating to health in electronic health records (EHR)’, WP 131, 15 February 2007, 8. See also Article 29 Data Protection Working Party, ‘Opinion 15/2011 on the definition of consent’, WP 187, 2011, 17–19.
21. Kosta (Citation2013, 202 et seq); Article 29 Data Protection Working Party, ‘Working Document on the processing of personal data relating to health in electronic health records (EHR)’, WP 131, 15 February 2007,, 9. See also Article 29 Data Protection Working Party, ‘Opinion 15/2011 on the definition of consent’, WP 187, 2011, 19–20.
22. De Bot (Citation2001, 129). Where special categories of data are involved, article 8(2)(a) of the Directive specifies that the consent of the data subject must be ‘explicit’ rather than ‘unambiguous’. This is a subtle distinction, which is not always perceptible in practice. The main difference is that ‘absence of ambiguity’ still allows for inference from other (affirmative) actions, whereas ‘express’ consent does not allow for inference of any kind (but rather requires an indication of wishes specifically in relation to the processing of the data in question). See Article 29 Working Party, Opinion 15/2011 on the definition of consent, WP 187, 2011, 25 and 35. See also Kosta (Citation2013, 226 et seq). In reality this qualification does not add any real value to the way consent should be interpreted. This perhaps also explains why the qualification of ‘unambiguously given’ consent was not retained in the proposed Data Protection Regulation: European Commission, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012) 11 final – 2012/0011 (COD), 25.01.2012: In January 2012, the European Commission presented its proposals for the reform of the data protection legal framework of the European Union, proposing the replacement of the Data Protection Directive with a Regulation.
23. Privacy notices provided with the view of obtaining data subject consent have also been referred to as ‘consent notices’, i.e. notices aimed at obtaining the data subject's informed consent for certain data processing activities, e.g. by ticking a box. (Robinson et al. Citation2009, 28–29).
24. For a detailed historical overview see Kosta (Citation2013, 12 et seq).
25. BVerfGE 65,1 vom 15.12.1983 (Volkszählungs-Urteil). The decision was published in New Juristische Wochenschrift [1984], 419 et seq and an English translation made by E. Reidel can be found at Human Rights Law Journal [1984], 94 et seq. For a more thorough analysis of the population census decision of the German Constitutional Court, see Simitis (Citation1987, 135; Citation1984, 398–405); Riedel (Citation1984, 27); Albers (Citation2005); Vogelsang (Citation1987); Flaherty (Citation1989, 77–83).
26. Rauhofer (Citation2008). According to Mayer-Schönberger (Citation1997) the right to informational self-determination established the third-generation data protection norms. For his very interesting classification of data protection norms into generations, see Mayer-Schönberger (Citation1997, 219 et seq).
27. As we will demonstrate later, however, data subject consent does not absolve the controller from his obligation to specify a legitimate purpose and to limit the processing to that which is necessary to achieve that purpose.
28. See Bygrave and Schartum (Citation2009, 165); Article 29 Data Protection Working Party, ‘Opinion 15/2011 on the definition of consent’, WP 187, 2011, 7.
29. The criticisms presented here have in first instance been directed towards the ‘notice & choice’ approach to data protection, which has historically been advocated for by the US Federal Trade Commission. However, similar considerations also apply within the EU, at least to the extent that the practical reality is such that most online service providers appear to rely upon data subject consent.
30. The term ‘notice skepticism’ was coined by Calo (Citation2012, 1027 et seq).
31. See also McDonald and Cranor (Citation2008) arguing that the time that website visitors need to invest in reading privacy policies is in itself a form of payment, which can serve as a justification why people are not reading long privacy policies.
32. Beales and Muris, (2008, 114–115). ‘It simply does not pay for most consumers to think and make decisions about policies on the use of their information, given that the issue is of such little practical consequence to them’.
33. Beales and Muris (Citation2008). For more information on the concept of bounded rationality see Simon (Citation1982).
34. See R. Calo (Citation2012, 1054–1055), and the references cited there. See also Working Party on Information Security and Privacy, The Evolving Privacy Landscape: 30 Years After the OECD Privacy Guidelines', Directorate for Science, Technology and Industry, Committee for Information, Computer and Communications Policy, DSTI/ICCP/REG(2010)6/FINAL, 28, available at http://www.oecd.org/document/35/0,3746,en_2649_34223_44488739_1_1_1_1,00.html, (last accessed on 21 April 2013); Stutzman and Acquisti (Citation2011 28); van der Hof and van den Berg; Adjerid et al. (Citation2012).
35. See Ben-Shahar and Schneider (Citation2010) ‘When a [disclosure] mandate is stated broadly, disclosers might think that duty requires – or prudence demands – disclosing everything.’
36. See also Meijer (Citation2009, 262), regarding transparency provided through government websites ‘In a radical perspective this could mean that the representation itself becomes more important than the practice it is representing.’
37. See for example Tene and Polonetsky (Citation2012, 335–338) ‘While the privacy-as-choice model is perceived as empowering individuals, it in fact often leaves them helpless and confused […] Policymakers and businesses, not individual users, should shoulder the burden of setting privacy safeguards’.
38. See Grimmelmann (Citation2009, in particular at 1181 et seq). See also Edwards and Brown (Citation2009, 202–227).
39. See Bygrave and Schartum (Citation2009, 161). See also Hildebrandt (Citation2009, 242) ‘[…] the sheer amount of occasions in need of consent turn the requirement into a hoax’.
40. This is true, even if even if in practice the actual notice is only incorporated by reference, and thus logically still removed from the exercise of ‘choice’.
41. See also Brownsword (Citation2009, 100–101), observing that there is a tendency ‘to run the two questions together under the general rubric of informed consent’.
42. The ‘principle of openness’ is not explicitly listed in Directive 95/46/EC (it is enshrined in the OECD Privacy Guidelines), but it may be considered a variation on the same theme.
43. See also Calo (Citation2012, 1063–1064). See also Hood (Citation2007, 194 et seq) who highlights the trade-offs involved in different forms of transparency; and also Dawes (Citation2010, 377–378) and Van den Berg and van der Hof (Citation2012).
44. The ‘autonomy trap’ is a term coined by Paul Scwhartz (Citation2000, 821), referring to ‘a cluster of related consequences flowing from the reliance on the paradigm of control of personal data in cyberspace: (1) the strong limitations existing on informational self-determination as it is construed at present; (2) the fashion in which individual autonomy itself is shaped by the processing of personal data; and (3) the extent to which the State and private entities remove certain uses or certain types of personal data entirely from the domain of two-party negotiations.’
45. See also Article 29 Working Party, Opinion 15/2011 on the definition of consent, WP 187, 2011, 9.
46. One might also submit that the drafters of the Directive in fact used the same term (‘legitimate’) in three subtly distinct ways, namely: (1) ‘legitimacy of purpose’ (art. 6, 1, b) (i.e., the aim pursued may be considered as reasonable and respectable); (2) ‘legitimacy of processing’ (art. 7) (i.e., the processing enjoys sufficient authority, an authority which can derive either from consent of the individuals concerned or from endorsement/acceptance by the majority) and (3) ‘legitimacy of interest’ (art. 7, (f)) (i.e., an interest ‘being worthy of recognition’).
47. Organisation for Economic Co-operation and Development (OECD) (2010), Recommendation of the Council concerning Guidelines governing the protection of privacy and transborder flows of personal data, 23 September 1980, available at http://www.oecd.org (hereafter: ‘OECD Privacy Guidelines’).
48. See also Brownsword (Citation2009, 90) exposing ‘the fallacy of necessity’.
49. In order to determine whether or not a particular practice may be ‘unfair despite consent’, it may be particularly useful to draw inspiration from consumer protection legislation. Specifically, statutory restrictions regarding the use of ‘unfair contract terms’ may provide informative criteria (such as ‘significant imbalance’ or ‘not reasonably necessary to secure legitimate interest’). See for example Australian Capital Territory Office of Regulatory Services a.o., ‘A guide to the unfair contract terms law’, Australian Consumer Law, 2012, available at http://www.consumerlaw.gov.au/content/the_acl/downloads/unfair_contract_terms_guide.PDF.
50. In certain instances, the initial assessment made by the controller may be the subject of regulatory scrutiny even before the processing is initiated. Under the current framework, this may be the result of a ‘prior checking’ mechanism adopted pursuant to article 20 of the Directive. In the proposed regulation, it is similarly foreseen that certain forms of processing require prior consultation with and/or authorization by a supervisory authority. See in particular article 34 of the ‘Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’, Brussels, 25 January 2012, COM(2012) 11 final 2012/0011 (COD).
51. See Bygrave and Schartum (Citation2009, 166–167) concerning the principle of proportionality.
52. See also Tene and Polonetsky (Citation2012, 341) calling upon policymakers to ‘actively cordon-off the limits of consent’.
53. See also Edwards and Brown (Citation2009, 19) citing ‘model contracts’ and ‘industry or co-regulatory codes of conduct’ as a means for preventing retrospective litigation. Note that Member States may in fact have an obligation to impose certain restrictions, pursuant to their positive obligations under article 8 ECHR.
54. Federal Trade Commission (2012, 36). See also Tene and Polonetsky (Citation2012, 339 et seq) comparing the FTC's approach of identifying ‘commonly accepted practices’ to enumeration of the ‘criteria for making data processing legitimate’ under article 7 of Directive 95/46/EC.
55. For instance, on the basis of the requirement regarding accessibility, one might argue that the information provided to the data subject may not be incorporated by reference, but should rather be presented prominently at the very moment that consent is to be either granted or withheld.
56. European Commission, Proposal for a General Data Protection Regulation, 8. See article 4(8) of the proposed Regulation.
57. See in particular recitals (25) and (33) of the proposed Regulation.
58. See article 7 of the proposed Regulation.
59. European Data Protection Supervisor, Opinion on the data protection reform package (2012), para. 151.
60. Under Article 8(2)(a) the processing of sensitive data is exceptionally allowed when the data subject has given his explicit consent.