The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma Cradock, University of Southampton

Informed Consent Friedman, Felten and Millett (2000) Model of informed consent in the context of online interactions. Based on six components: Disclosure Comprehension Voluntariness Competence Agreement Minimal Distraction Informed Consent

When looking at ‘disclosure’ If the action involves collecting information about an individual, then the following should also be made explicit: What information will be collected? Who will have access to the information? How long will the information be archived? What will the information be used for? How will the identity of the individual be protected?

How do we deal with disclosure? Asdjkahsdjasjdhjkahsdjkhasdjhajskdhjk asdjhjakshdjkhasjdhjashdjahsjdhasjkhdjashdjahsdj hasjdhjakshdjashdjahsjdhasjdh ajsdhjashdjk asdhjakhdjkhasd jasdhjhasd sdhjahsdjkhasdjhasjd asdhjkahsjdhajshdjkahsd askjdhjashdjahsdkjahdsjkh ajsdhjkahsdjhasdjhdjkh ajsdhjashdjhasjdhaj ajsdhjahdjkahhaksd ajksdhjashdjkahs ajsdhjadhahsjdkhjdajkahsd ajsdhjahdjkahdjh ajsdhjahjsdhjkadh ajdshajhdjkahdjk

Why focus on disclosure? Could look at: Comprehension – do people comprehend the content Minimal Distraction - Can we have natural language policies without this? But … It is equally important to look at disclosure!

Legal Framework in UK Directive Article 29 WP Data Protection Act 1998 UK Information Commissioners Office Regulation Today2018?

So, does the framework make it an explicit requirement to disclose to individuals what information which will be collected by organisations?

Not in Article 10 Article 10 – Data Controller must provide a data subject with at least the following information, except where he already has it: (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing for which the data are intended; (c) any further information as is necessary ….to guarantee fair processing in respect of the data subject. - the recipients or categories of recipients of the data, - whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, - the existence of the right of access to and the right to rectify the data concerning him

Article 11? Article 11 - Information where the data have not been obtained from the data subject (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing; (c) any further information such as - the categories of data concerned, - the recipients or categories of recipients, - the existence of the right of access to and the right to rectify the data concerning him - in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.

Differences between Articles 10 and 11 May not have needed this in an offline environment European Commission stated in its first report on the implementation of the Directive: ‘… that it was an incorrect implementation to stipulate that this additional information must always be provided, irrespective of the necessity test’ Indicating the ‘categories of data being provided’ would not be a permanent requirement

Article 29 Working Party 2000: Software and hardware products should provide Internet users with information about the data that they intend to collect, store or transmit 2007: Individual concerned must be given accurate and full information of all relevant issues, in particular those specified in Articles 10 and 11 of the Directive, such as the nature of the data processed 2012: Google privacy policy, the exact purposes and collected categories of data (including data from other purposes) 2013: (In relation to apps) right to know what type of personal data is being processed.. ‘Being told what data are being processed is particularly important given the broad access apps generally have to sensors and data structures on the device, where such access in many cases is not intuitively obvious’

UK Data Protection Act Schedule 1, Part II 3(1): (a) the identity of the data controller, (b) if he has nominated a representative for the purposes of this Act, the identity of that representative, (c) the purpose or purposes for which the data are intended to be processed, and (d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.

Ico (Information Commissioners Office) Privacy Notices Code of Practice’ (2010) Provides an example of a good practice privacy policy which uses the heading: ‘What information do we collect about you?’ Does not state that users must be told what exact information is collected about them Does state that when deciding whether to give ‘any further information necessary’ in the interests of fairness, you have to take into account: - the nature of the data and what the individuals concerned are likely to expect but does not state that the nature of the data must be disclosed merely that it must be taken into account.

Ico (Information Commissioners Office) Google Privacy Policy 2012 Has signed an undertaking to: Provide …. information regarding data processing, including an exhaustive list of the types of data processed by Google. The Code is due for an update – will this affirm that an exhaustive list of the types of data processed are required

Does the framework explicitly provide that users should be told what information will be collected? The legislation in both the Directive and the DPA do not explicitly provide for it The Article 29 Working Party have explicitly stated that in their opinion it is required for apps, and less explicitly at other points Within the recent Google undertaking, Ico have also explicitly stated that this should be explicitly provided for

Why is it not an explicit requirement? Directive was produced in the mid-1990s, possibly based on the assumption that users were aware what data they were giving away So given that: That the Article 29 Working Party (and now Ico) had explicitly stated in their opinion that it is required and That there is currently proposed Regulation in the pipeline …. Will this become an explicit requirement?

Proposed Regulation Article 14(1): Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information: (a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer; (b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1); (c) the period for which the personal data will be stored; (d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data; (e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority; (f) the recipients or categories of recipients of the personal data; (g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission; (h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.

Proposed Regulation Not the final version But given, the the fact it has not been added up to this point is interesting given the guidance of Ico and Article 29 WP Also especially as ….

It’s a requirement to inform others under the Reg Article 43(2)(b) Binding Corporate Rules must specify: ‘the data transfers or set of transfers, including the categories personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question’. Article 31(3)(a) Notification of a personal data breach to the Supervisory Authority must at least: ‘describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned’ Article 28(2)(d) Each controller and processor shall maintain documentation of processing operations which shall contain at least the following: ‘a description of categories of data subjects and of the categories of personal data relating to them’

Final Thoughts Just a drop in the ocean? All components are required Is the just another thing on something that people do not read? Making sure that users are provided with the information they need to be ‘informed’ is also very important in the context of user empowerment. Furthermore ….

Final Thoughts Technological Assistance such as: If we move away from the idea of users reading the privacy policies themselves and towards the use of Consenting agents The format proposed by the usable privacy policy project Machine-readable policies In all these cases, whether it is disclosed to the user or through a computer to aid them, the legal standard for the information which needs to be disclosed and on, which these advancements rely on still needs to be clarified.

Is it a legal requirement of all privacy notices – why is it not explicitly stated for? Should it be? Something to think about?