Regulating Privacy in the Online World

Things are moving forward on the privacy front.
In April, the so-called “Group 29”, an advisory body to the European Commission on privacy and public liberties matters, issued a memo in which it analyzed the activity of data-mining internet companies. More specifically, it sought to establish whether they respected the European regulatory framework which is composed of two directives:
–    the data protection directive, adopted in 1995, that ranks privacy as a fundamental right and establishes a set of general principal regarding personal data protection in the European Union;
–    the ePrivacy directive, adopted in 2002, that specifically targets electronic communications (for instance, it states that users must be able to refuse cookies).

In its communication, the Group 29 gave an interpretation of the body of the directives, listing a set of principles that should apply to data-mining companies (see page 24 of the memo). It also called on the European Commission to legislate further on this issue. The aim? Acknowledging technological changes and making sure that the principles established by the 1995 directive are clearly transposed in the online world.

In the United States, Congress is shaking things up too. This past July, a few congressmen opened fire by scrutinizing NebuAd, a company that provides technology aimed at inspecting data packets circulating on Internet Service Providers’ networks so as to monitor users’ online activities. On August 1st, the Committee on Energy and Commerce expanded its investigation on behavioral advertising by sending a list of questions to more than thirty internet companies, among which were Google, Microsoft but also AT&T or Comcast. The action has already triggered some interesting moves.

The first announcement came from Yahoo… In their letter, the congressmen asked why most data-mining companies didn’t provide users with “opt-out” features. Now Yahoo’s recent advertising agreement with Google is being reviewed by the Justice Department so that the company has to act carefully when dealing with the federal Government. Hence, Yahoo conveniently announced that by the end of August it will introduce such functionality. Is that enough? Well, that might even be too much. As Yahoo’s privacy chief recalls, most users favor more tailored ad. Conseqently, the question is not about opting out of innovation, but about the ability to control exactly what data companies collect about their users and what they do with it. Ads are tailored, so should user’s control over their personal data be.

Google adopted a different, in my opinion smarter, plan of action. In its own communication to Congress, it began by distancing itself from NebuAd’s deep packet inspection strategy and then assured that it does not require personally identifiable information – even though this is not true if you register for Google’s other products such as Gmail. It defined its advertising practices as “contextual” and not “behavioral”, since it doesn’t keep track of users’ browsing history – even though users can access that function when they have a Google account. Besides, to protect users’ privacy, Google has so far refused to correlate data over its various services (Gmail, Blogger, search engines, iGoogle, Google Reader and others).
In the US, privacy law is segmented. No horizontal privacy standard applies like in Europe. Instead, different states have different regulations for different sectors (banking, healthcare, airlines etc) and there are consequently 39 applicable laws regarding privacy across the US! In its conclusion, Google therefore pledges to support any initiative that aims to unifying privacy regulation at the federal level and offers its cooperation.

These evolutions, on an issue as sensitive as privacy, are very significant and reflect a more general trend. By moving a little more each day in the internet cloud, our societies are confronted with very complex issues related to the intangible nature of the cyberspace (copyright is another good example). For new technologies challenge principles our legal system has long relied on. They unsettle the bedrock of our social contract. Here, the matter is not one of arbitration between security and freedom but between traditional fundamental rights, such as every individual’s to privacy protection, and technological innovation, which also brings social innovation and creates new rights. In this debate that has only just begun Internet companies must participate in the discussion and fully undertake the highly political nature of their activities. By taking part in the public debate and mindfully adapting their business practices, they will really prove themselves responsible businesses.

Photo on Flickr by sunside under Creative Commons License.

Leave a Reply

Your email address will not be published. Required fields are marked *